#NPM downloads are a funny old metric, when you think about it.
A bunch of my downloads come from the fact that the package is a dependency of a couple of other popular packages/projects (amongst a very large number of smaller web apps and personal projects).
Factor in continuous integration and testing pipelines and "download" becomes more nebulous.
Still, 10k per week is more than I'd ever have thought when I built the thing.
#JavaScript#Node#NPM#SoftwareDevelopment#Programming: "Oh, dear jest. It started as a fast test runner. But now it’s big and fat, it depends on some babel packages while the rest of your app is transpiled by a mix of esbuild and swc. Properly configuring it with ESM and TypeScript was a PhD science project.
You stop to count how many tools and parsers work on your codebase: TypeScript, esbuild, swc, babel, eslint, prettier, jest, webpack, rollup, terser. You are not sure if you missed any. You are not sure if you want to know. The level of pain is so high you forget about anything else."
I love having new staff who simply go "why is it like that...?"
When we moved to CI deployment (a couple of years ago), I created an image with composer, node and PHP so we can build and deploy our assets. It was 500mb.
I was questioned why it was so big and I didn't have a good answer. In the space of a couple of hours (thank you Docker, Alpine and Stack Overflow) I got it down to 100mb.
I stopped feeling bad about #autotools files (configure.ac Makefile.am m4/*) when I realized how much noise a new maven package throws on your disk.
The main difference is: for #maven / #npm / #cargo / #gradle / #bazel / ... these are autogenerated.
@voxpelli@noim I don't use #yarn much personally, so I'm not sure about those features.
One of the things I don't like about #npx is that it takes the same amount of time as an #npm install, even if I have already run the npx command and downloaded (cached) the packages earlier. I've not found a way around this and I'm really hoping there was a way to run npx #offline.
When I try to contact #NPMjs to recover access to my account, I get support messages from "npm@githubsupport.com". This makes a lot of sense because the quality of support is exactly as bad as I would expect from a #Microsoft owned organization.
#NPM has locked me out of my account so I can't publish any of my packages anymore. They still link to my GitHub repos though, so I'm replacing them all with Rick Astley videos.
If that doesn't work, I'll have to escalate to ascii art goatse.
Reminder: If you believe #opensource is not sustainable financially (no matter if that is correct or not) and you haven't signed up for @stackaid (or @tidelift if you're an enterprise) – then you're part of the problem, not the solution
GitHub Sponsors and @opencollective only support direct dependencies and not the long tail that makes up eg. the #npm ecosystem + they both require a fixed amount per project rather than a fixed monthly shared between all projects that you're supporting.
Yikes: “The Register reports that malicious actors are exploiting expired #AWS S3 buckets to inject harmful code into legitimate #npm packages without needing to modify existing code.”
@skiff open sourced their cryptographic library "including useful functions for symmetric encryption, asymmetric encryption, hashing, and more. Contributions and suggestions are welcome!"