Remix clone Hacker News

new | show | ask | jobs Github

▲

cozzyd 4 hours ago

That's one way to fix supply chain vulnerabilities.

▲

tantalor 4 hours ago | parent | next [-]

Can't have any vulnerabilities if you don't have a supply chain

▲

nine_k 4 hours ago | parent | prev [-]

More seriously, keeping a local cache of external npm packages, and a local artifact storage for internal npm packages looks like a wise thing to have done long ago. Might be cheaper in the long run.

Ironically, both Nandu and Verdaccio are implemented in Tyepscript and install via npm.

(Same logic obviously applies to Python packages, Docker images, etc.)

▲

hmokiguess 3 hours ago | parent | next [-]

At my former job we had a private registry that was a mirror of npm’s with an approval gate for packages devs would request and it would always pin versions

I took that for granted back then and just assumed it was standard enterprise policy

	▲	jamesfinlayson 44 minutes ago \| parent [-]
		Multiple previous jobs had this too (local Packagist is thing, Artifactory is another) but my current job got rid of theirs. Seemed a little short-sighted given the risks but I don't make the decisions.

▲

spartanatreyu an hour ago | parent | prev | next [-]

> a local artifact storage for internal npm packages looks like a wise thing to have done long ago

Deno already does this invisibly by default.

All packages are stored in the global cache.

No need to store multiple versions of the same dependencies across projects.

To the code in your projects: there is no such thing as a global cache. Just import your dependencies like normal and deno maps them to the global cache.

▲

miohtama 4 hours ago | parent | prev | next [-]

Only if we had a turn key distributed cache, like IPFS

▲

ibejoeb 3 hours ago | parent | next [-]

Does IPFS support content eviction now? If not, that could go wrong really fast. You get a compromised package out there and then, I think, literally every node needs to unpin it or it remains.

	▲	zadikian 2 hours ago \| parent [-]
		Presumably, how ever you mark a version as latest would also be how you mark one as compromised. IPFS files are immutable and keyed by hash. But this seems like overengineering.

▲

cluckindan 4 hours ago | parent | prev [-]

Waiting for the BitTorrent package manager

▲

XorNot 4 hours ago | parent | prev [-]

Caching NPM was easier when you could pull the Couchbase replicate API. Afaik that's gone and now you just have to send a bazillion http requests instead.

	▲	nine_k 2 hours ago \| parent [-]
		Sending a bazillion http requests within your LAN, or at least your VPC, is much easier, faster, and cheaper. Both yarn and pnpm support http/2 which speeds up the bazillion requests quite a bit.