sheetjs
/
sheetjs
11
Fork 17
Code Issues 167 Pull Requests 11 Wiki Activity

Why the move away from npm registry? #2667

New Issue
Closed
opened 2022-04-27 00:14:14 +00:00 by JSin · 15 comments
JSin commented 2022-04-27 00:14:14 +00:00 (Migrated from github.com)
Copy Link

I noticed from this ed18acd63d that you moved away from publishing to the npm registry and recommend people download using tarballs on the CDN. Why did you move away? The npm registry is an extremely common way to download packages.

I noticed from this ed18acd63d7a5cd31527a36a9af54542cdfcfd30 that you moved away from publishing to the npm registry and recommend people download using tarballs on the CDN. Why did you move away? The npm registry is an extremely common way to download packages.
👍 17 👀 2
SheetJSDev commented 2022-04-27 04:12:08 +00:00 (Migrated from github.com)
Copy Link
npm

The package on the npm registry is surprisingly popular (one of the top-500 by dependents). npm invalidated the old publish token and is forcing 2FA on the publishing account.

Due to ongoing legal matters between SheetJS LLC and npm, Inc. (which will not be discussed here), it did not make sense to continue using the public npm registry for distribution.

With GitHub (the owner of NPM) sunsetting the git.io domain with only 4 days notice, we are reminded of the ephemerality of the Internet and the inherent risks of relying on platforms.

<img width="542" alt="npm" src="https://user-images.githubusercontent.com/6070939/165421103-c2909aa8-4e58-4452-976a-2cc4dd8e959e.png"> The package on the npm registry is surprisingly popular (one of the top-500 by dependents). npm invalidated the old publish token and is forcing 2FA on the publishing account. Due to ongoing legal matters between SheetJS LLC and npm, Inc. (which will not be discussed here), it did not make sense to continue using the public npm registry for distribution. With [GitHub (the owner of NPM) sunsetting the git.io domain with only 4 days notice](https://github.blog/changelog/2022-04-25-git-io-deprecation/), we are reminded of the ephemerality of the Internet and the inherent risks of relying on platforms.
👍 19 👎 97 😕 38 👀 17 😆 4
claylevering commented 2022-05-05 16:15:23 +00:00 (Migrated from github.com)
Copy Link

we are reminded of the ephemerality of the Internet and the inherent risks of relying on platforms

https://sheetjs.com/careers

  • familiar with the tumult of open source and remote collaboration
  • not prepared to collaborate with the JavaScript and data communities

Top 500 NPM package list, 1.26 million downloads a week, over 3000 dependent packages and not even a mention in the README regarding the fact ongoing development for this package won't exist any longer in the single largest JS library platform on the planet (after 8 years).

🤔

> we are reminded of the ephemerality of the Internet and the inherent risks of relying on platforms https://sheetjs.com/careers > - familiar with the tumult of open source and remote collaboration > - not prepared to collaborate with the JavaScript and data communities Top 500 NPM package list, 1.26 million downloads a week, over 3000 dependent packages and not even a **mention** in the README regarding the fact ongoing development for this package won't exist any longer in the single largest JS library platform on the planet (after 8 years). 🤔
👍 51 👎 1
ljharb commented 2022-05-05 18:04:47 +00:00 (Migrated from github.com)
Copy Link

Mandatory 2FA should be a noop, as a responsible maintainer would already have it enabled.

npm publish tokens remain exempt from 2FA, so i'm not clear on why that would be an obstacle.

Mandatory 2FA should be a noop, as a responsible maintainer would already have it enabled. npm publish tokens remain exempt from 2FA, so i'm not clear on why that would be an obstacle.
👍 60 ❤️ 14
jonkoops commented 2022-05-05 20:43:25 +00:00 (Migrated from github.com)
Copy Link

Yeah, 2FA should be a no brainer. An tokens are indeed except if specified.

Yeah, 2FA should be a no brainer. An tokens are indeed except if specified.
👍 17
judehunter commented 2022-05-05 21:40:28 +00:00 (Migrated from github.com)
Copy Link

This is bizarre

This is bizarre
👍 29
lynnntropy commented 2022-05-05 22:31:13 +00:00 (Migrated from github.com)
Copy Link

Full disclosure, I happened upon this issue by chance and am not a SheetJS user, but this is... really strange.

The package on the npm registry is surprisingly popular (one of the top-500 by dependents). npm invalidated the old publish token and is forcing 2FA on the publishing account.

What possible justification could you have for taking issue with npm's 2FA requirement for maintainers of popular packages?

With GitHub (the owner of NPM) sunsetting the git.io domain with only 4 days notice, we are reminded of the ephemerality of the Internet and the inherent risks of relying on platforms.

I don't see how this is a reason for silently dropping support for npm. If anything, from the perspective of your users it's an argument for the opposite, because npm is statistically way more likely to exist 5 years from now than your personal CDN.

Maintainers of OSS projects don't owe people anything, of course, but all I can say is you shouldn't be surprised when people (including your paying customers) look at this whole thing and decide to either fork the project or switch to a competing library not maintained by someone who makes decisions like this.

Full disclosure, I happened upon this issue by chance and am not a SheetJS user, but this is... really strange. > The package on the npm registry is surprisingly popular (one of the top-500 by dependents). npm invalidated the old publish token and is forcing 2FA on the publishing account. What possible justification could you have for taking issue with npm's 2FA requirement for maintainers of popular packages? > With [GitHub (the owner of NPM) sunsetting the git.io domain with only 4 days notice](https://github.blog/changelog/2022-04-25-git-io-deprecation/), we are reminded of the ephemerality of the Internet and the inherent risks of relying on platforms. I don't see how this is a reason for silently dropping support for npm. If anything, from the perspective of your users it's an argument for the opposite, because npm is statistically way more likely to exist 5 years from now than your personal CDN. Maintainers of OSS projects don't owe people anything, of course, but all I can say is you shouldn't be surprised when people (including your paying customers) look at this whole thing and decide to either fork the project or switch to a competing library not maintained by someone who makes decisions like this.
👍 54 ❤️ 12
rozzzly commented 2022-05-06 07:54:44 +00:00 (Migrated from github.com)
Copy Link

I'm imagining a conversation somewhere along the lines of:

phone rings. Oh crap it's the CTO! what does he want?!?

Hey, I just got an email saying that our MPM account didn't have 2FA enabled. I think that's like really important, right? Why didn't you have it enabled?

Moment of terror. My predecessor setup the account... I never thought to check if 2FA was enabled! But I probably shouldn't say that to the CTO because I definitely should have noticed. Um what to say.. uh.. um. come on think! think AHA I got it!

Really sir? That is uh very concerning. They must of uh like um deleted our settings.

Deleted our settings?! That's outrageous! They can't do that! Those are OUR settings. You know what, just go ahead and only post it on our site from now on.

Post it on our site? Like a CDN? I mean it was probably just a glitch, I'll uh I'll just reset the security settings. Problem solved.

No. I doubt these MPM guys will be around a lot longer anyways. You will post it on our site only from now on, am I understood?

uh.. yes...

Good work, I'm going to go call the lawyers about this.

CTO hangs up. Oh God what did I just do?!

I'm imagining a conversation somewhere along the lines of: > phone rings. _Oh crap it's the CTO! what does he want?!?_ **Hey, I just got an email saying that our _MPM_ account didn't have 2FA enabled. I think that's like really important, right? Why didn't you have it enabled?** > Moment of terror. _My predecessor setup the account... I never thought to check if 2FA was enabled! But I probably shouldn't say that to the CTO because I definitely should have noticed. Um what to say.. uh.. um. come on think! think AHA I got it!_ _Really sir? That is uh very concerning. They must of uh like um deleted our settings._ **Deleted our settings?! That's outrageous! They can't do that! Those are OUR settings. You know what, just go ahead and only post it on our site from now on.** _Post it on our site? Like a CDN? I mean it was probably just a glitch, I'll uh I'll just reset the security settings. Problem solved._ **No. I doubt these _MPM_ guys will be around a lot longer anyways. You _will_ post it on our site _only_ from now on, am I understood?** _uh.. yes..._ **Good work, I'm going to go call the lawyers about this.** > CTO hangs up. _Oh God what did I just do?!_
😆 37
Directory commented 2022-05-06 20:29:26 +00:00 (Migrated from github.com)
Copy Link

JavaScript hippies back at it again with the tri weekly cdn outages

JavaScript hippies back at it again with the tri weekly cdn outages
😆 12
jameshilliard commented 2022-05-07 22:59:37 +00:00 (Migrated from github.com)
Copy Link

Not sure why one would want to use the sheetjs CDN for npm installs instead of just doing something like this(github based install):

npm install SheetJS/sheetjs#semver:^0.18.6
Not sure why one would want to use the sheetjs CDN for npm installs instead of just doing something like this(github based install): ``` npm install SheetJS/sheetjs#semver:^0.18.6 ```
👍 15 ❤️ 1
bluepuma77 commented 2022-05-31 08:34:57 +00:00 (Migrated from github.com)
Copy Link

npm package xlsx has 1.4 million weekly (!) downloads of outdated version 0.18.5.

@SheetJSDev It would be great if you could add a notice to the npm readme.

A warning during "npm install xlsx" would also be great, mentioning alternative install methods.

[npm package xlsx](https://www.npmjs.com/package/xlsx) has 1.4 million weekly (!) downloads of outdated version 0.18.5. @SheetJSDev It would be great if you could add a notice to the npm readme. A warning during "npm install xlsx" would also be great, mentioning alternative install methods.
👍 7
schw4rzlicht commented 2022-08-30 15:18:07 +00:00 (Migrated from github.com)
Copy Link

Hilarious.

Hilarious.
TruffeCendree commented 2022-09-17 15:44:29 +00:00 (Migrated from github.com)
Copy Link

@SheetJSDev

First, thanks for your amazing work on this library.

Because of security concerns, I prefer relying on npm up-to-date package with proper version management, immutable release binaries and npm audit facilities. I'm sure your users would appreciate an update of the well-known npm registry.

If the issue is 2FA related, other popular packages solved the issue. Without you explaining the other reasons, it is hard to understand the withdraw.

Have a nice day.

@SheetJSDev First, thanks for your amazing work on this library. Because of security concerns, I prefer relying on npm up-to-date package with proper version management, immutable release binaries and `npm audit` facilities. I'm sure your users would appreciate an update of the well-known npm registry. If the issue is 2FA related, other popular packages solved the issue. Without you explaining the other reasons, it is hard to understand the withdraw. Have a nice day.
👍 3
Zainzzkk commented 2023-06-01 21:35:00 +00:00
Copy Link

Highly disappointing that you won't reply to any of the above comments raised by users of SheetJS or at least post a notice on the npm readme.

Means millions still install from npm with no idea, and many must be paying for the pro version without realising what has happened. As someone said above, npm will be here forever basically wheras this CDN could end at any date.

Highly disappointing that you won't reply to any of the above comments raised by users of SheetJS or at least post a notice on the npm readme. Means millions still install from npm with no idea, and many must be paying for the pro version without realising what has happened. As someone said above, npm will be here forever basically wheras this CDN could end at any date.
puchm commented 2023-06-07 11:34:17 +00:00
Copy Link

While I do understand that there is more going on here than meets the eye I would like to raise an additional issue that is caused by this.

In the deployment pipeline of my company, access to the open internet is not possible for security reasons. We have our own registry which is basically a mirror of npm and we have the same for other popular registries (e.g. pip or Docker). This means that our build can only depend on things that are either on npm or already inside a project's repository. Anything besides that is strictly off limits and we are unable to get around this even with a proper proxy configuration.

We are therefore unable to use the latest version in production.
Whatever your matter with npm is, you should consider whether this drastic step is actually necessary. After all, it is only to your disadvantage because people keep using your project via npm but are not using the latest versions. This will hurt the project in the long term.

If this doesn't change within the next few months I will have no choice but to replace SheetJS with something else.

While I do understand that there is more going on here than meets the eye I would like to raise an additional issue that is caused by this. In the deployment pipeline of my company, access to the open internet is not possible for security reasons. We have our own registry which is basically a mirror of npm and we have the same for other popular registries (e.g. pip or Docker). This means that our build can only depend on things that are either on npm or already inside a project's repository. Anything besides that is strictly off limits and we are unable to get around this even with a proper proxy configuration. We are therefore unable to use the latest version in production. Whatever your matter with npm is, you should consider whether this drastic step is actually necessary. After all, it is only to your disadvantage because people keep using your project via npm but are not using the latest versions. This will hurt the project in the long term. If this doesn't change within the next few months I will have no choice but to replace SheetJS with something else.
ivankhm commented 2023-06-11 15:07:30 +00:00
Copy Link

This decision is a complete nonsense.

I can't see how can you can justify omiting publishing to npm by required 2FA.

I'm sorry, but you're not acting like a reasonable company. You're acting like some beginner developer who could not figure out how to install 2FA token app on their phone.

It's gutting the future of this project and it's painfull.

This decision is a complete nonsense. I can't see how can you can justify omiting publishing to npm by required 2FA. I'm sorry, but you're not acting like a reasonable company. You're acting like some beginner developer who could not figure out how to install 2FA token app on their phone. It's gutting the future of this project and it's painfull.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
sankhavaramsaitulasiram/feat-fix-2752
maybeswapnil/issue2737
gh-pages
scottysseus/2560_2
ivan-trusov/fix-basedate
nandanv2702/issue_1300
protobi/master
ThomasChan/master
grantfayvor/master
tom-groves/bug-1105/rounding-error
mgreter/master
v0.20.0
v0.19.3
v0.19.2
v0.19.1
v0.19.0
v0.18.12
v0.18.11
v0.18.10
v0.18.9
v0.18.8
v0.18.7
v0.18.5
v0.18.4
v0.18.3
v0.18.2
v0.18.1
v0.18.0
v0.17.5
v0.17.4
v0.17.3
v0.17.2
v0.17.1
v0.17.0
v0.16.8
v0.16.7
v0.16.6
v0.16.5
v0.16.3
v0.16.2
v0.16.1
v0.16.0
v0.15.6
v0.15.5
v0.15.2
v0.14.0
v0.13.5
v0.13.4
v0.13.3
v0.13.1
v0.13.0
v0.12.13
v0.12.12
v0.12.11
v0.12.10
v0.12.9
v0.12.8
v0.12.7
v0.12.6
v0.12.5
v0.12.4
v0.12.3
v0.12.2
v0.12.1
v0.12.0
v0.11.19
v0.11.18
v0.11.17
v0.11.16
v0.11.15
v0.11.14
v0.11.13
v0.11.12
v0.11.11
v0.11.10
v0.11.9
v0.11.8
v0.11.7
v0.11.6
v0.11.5
v0.11.4
v0.11.3
v0.11.2
v0.11.1
v0.11.0
v0.10.9
v0.10.8
v0.10.7
v0.10.6
v0.10.5
v0.10.4
v0.10.3
v0.10.2
v0.10.1
v0.10.0
v0.9.13
v0.9.12
v0.9.11
v0.9.10
v0.9.9
v0.9.8
v0.9.7
v0.9.6
v0.9.5
v0.9.4
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.8
v0.8.7
v0.8.6
v0.8.5
v0.8.4
v0.8.3
v0.8.2
v0.8.1
v0.8.0
v0.7.11
v0.7.10
v0.7.9
v0.7.7
v0.7.6-i
v0.7.6-h
v0.7.6-a
v0.7.6
v0.7.5
v0.7.4
v0.7.3
v0.7.2
v0.7.1
v0.5.10
v0.5.9
v0.5.8
v0.5.7
v0.5.0
v0.4.3
Labels
Clear labels   
DBF

   
Dates

   
Defined Names

   
Features

   
Formula

   
HTML

   
Images

   
Infrastructure

   
Integration

   
International

   
ODS

   
Operations

   
Performance

   
PivotTables

   
Pro

   
Protection

   
Read Bug

   
SSF

   
SYLK

   
Style

   
Write Bug

   
good first issue
No Label
DBF
Dates
Defined Names
Features
Formula
HTML
Images
Infrastructure
Integration
International
ODS
Operations
Performance
PivotTables
Pro
Protection
Read Bug
SSF
SYLK
Style
Write Bug
good first issue
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
4 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sheetjs/sheetjs#2667
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?