While looking at a package.json from a public project from PayPal, Alex Birsan noticed that it held some references to private NPM packages used internally by PayPal. Birsan noticed some of the manifest file packages were not present on the public npm repository but were instead PayPal’s privately created npm packages, used and stored internally …
Tag Archives: npm
Super fast npm install on Github Actions
The folks at Voorhoede share how they integrated the actions/cache@v2 build step into their GitHub Workflow so that it caches npm install results. Super fast npm install on Github Actions → Related: By Shallow + Single Branch Cloning you can speed up the git clone step of your build pipeline. The actions/checkout@v2 build step already …
Easily install local NPM packages by simply referring to their local path
Directly installing a package with npm install and referring to its local path is a quick way to work with a local package. To be safe though, the usage of npm link is still recommended. To work with local NPM packages on can reside to using npm link. You make a package available locally with …
Continue reading “Easily install local NPM packages by simply referring to their local path”
GitHub acquires npm
It was suggested that Microsoft/GitHub should have bought npm back in the day, instead of launching their own registry. Today is the day they’ve actually done it: We at GitHub are honored to be part of the next chapter of npm’s story and to help npm continue to scale to meet the needs of the …
Beware when merging Pull Requests with a changed lockfile
When watching a diff that contains a lockfile (say: a yarn.lock for example) on GitHub, GitHub doesn’t always show the differences (see screenshot above) as the changes in such files tend to be quite big. And even if it were to show the changes, does one really take a close look into it? With this …
Continue reading “Beware when merging Pull Requests with a changed lockfile”
Wombat Dressing Room, an npm publication proxy on GCP
When automating the publishing of an NPM package, 2FA can get in the way, as you can’t really automate entering a 2FA auth code off a cellphone. Enter Wombat Dressing Room from Google: With Wombat Dressing Room, rather than an individual configuring two factor authentication in an authenticator app, 2FA is managed by a shared …
Continue reading “Wombat Dressing Room, an npm publication proxy on GCP”
Use a Github repository branch or commit as a dependency in package.json
Recently I needed to test a branch of a forked GitHub repository inside a project. Instead of cloning the fork and symlinking the package locally, I installed the remote dependency directly into the project. To achieve I used the following command: Using NPM: npm install user/repo.git#branchname Using Yarn: yarn add ssh://git@github.com:user/repo.git#branchname 💡 If you’re targeting …
Continue reading “Use a Github repository branch or commit as a dependency in package.json“
Programmatically add scripts to package.json with npm-add-script
Recently I needed to automate the addition of the addition of a script defined in a package.json‘s scripts section. To do this I used npm-add-script (an older, but still functioning project), along with the aforementioned npx. For example, to add a script labelled start with the contents webpack-dev-server –config ./config/webpack.config.babel.js –env.MODE=development –open –hot, I use: …
Continue reading “Programmatically add scripts to package.json with npm-add-script“
Find the cost of adding a npm package to your bundle with BundlePhobia
Ever wondered what the (size) impact of adding an NPM package to your project is? BundlePhobia is a tool that does not only that, it also recommends you other similar packages that have a lesser load. This thing lets you understand the performance cost of npm install‘ing a new npm package before actually adding it …
Continue reading “Find the cost of adding a npm package to your bundle with BundlePhobia”
The Economics of Open Source // Introducing Entropic, a federated package registry
At JSConf EU 2019, CJ Silverio – former CTO at NPM Inc – gave this talk on why a VC-funded private package registry (read: the one ran by NPM Inc) holds many dangers. The JS package commons is in the hands of a for-profit entity. We trust NPM Inc with our shared code, but we …