Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
jamesrom 5 hours ago

This is the opposite of "do one thing and do it well" unix philosophy.

You don't need your package manager to invoke your hook. You need _your_ tooling to invoke your hook.

./safely-bump-deps.sh && npm install

Want it global? Use a bash alias.

maxbond an hour ago | parent | next [-]

Lots of Unix stuff uses hooks. cron, init, bash has multiple different hook-shaped files (eg .bashrc). The Unix philosophy isn't a sacred cow, purity over pragmatism was the Multics philosophy.

captn3m0 4 hours ago | parent | prev | next [-]

Aliases and pre-hooks are nowhere near the guarantees you want, that’s what I am arguing - not everything is invoked from a blessed shell. Safely-bump-does.sh is also impossibly hard to write because you are replicating _all of the work NPM does in transitive dependency resolution_. Unless you are re-generating the lock file from scratch - it isn’t safe. Just updating package.json isn’t sufficient for eg.

jamesrom 3 hours ago | parent [-]

safely-bump-deps.sh does not need to do impossibly hard things. It can just call npm: outdated, install --save-exact and/or install --package-lock-only. There's plenty of solutions here.

Pushing this into a hook makes it invisible, implicit, hard to debug, and an entry point for all sorts of undefined behaviours.

staticshock 4 hours ago | parent | prev [-]

Arguably, npm does one thing, but it does it poorly.