Why the move away from npm registry?
Closedopened 1 year ago by JSin · 14 comments
No Branch/Tag Specified
good first issue
No Assignees3 Participants
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.
No due date set.
No dependencies set.
Reference in New Issue
There is no content yet.
Delete Branch '%!s(<nil>)'
Deleting a branch is permanent. It CANNOT be undone. Continue?
I noticed from this
ed18acd63dthat you moved away from publishing to the npm registry and recommend people download using tarballs on the CDN. Why did you move away? The npm registry is an extremely common way to download packages.
The package on the npm registry is surprisingly popular (one of the top-500 by dependents). npm invalidated the old publish token and is forcing 2FA on the publishing account.
Due to ongoing legal matters between SheetJS LLC and npm, Inc. (which will not be discussed here), it did not make sense to continue using the public npm registry for distribution.
With GitHub (the owner of NPM) sunsetting the git.io domain with only 4 days notice, we are reminded of the ephemerality of the Internet and the inherent risks of relying on platforms.
Top 500 NPM package list, 1.26 million downloads a week, over 3000 dependent packages and not even a mention in the README regarding the fact ongoing development for this package won't exist any longer in the single largest JS library platform on the planet (after 8 years).
Mandatory 2FA should be a noop, as a responsible maintainer would already have it enabled.
npm publish tokens remain exempt from 2FA, so i'm not clear on why that would be an obstacle.
Yeah, 2FA should be a no brainer. An tokens are indeed except if specified.
This is bizarre
Full disclosure, I happened upon this issue by chance and am not a SheetJS user, but this is... really strange.
What possible justification could you have for taking issue with npm's 2FA requirement for maintainers of popular packages?
I don't see how this is a reason for silently dropping support for npm. If anything, from the perspective of your users it's an argument for the opposite, because npm is statistically way more likely to exist 5 years from now than your personal CDN.
Maintainers of OSS projects don't owe people anything, of course, but all I can say is you shouldn't be surprised when people (including your paying customers) look at this whole thing and decide to either fork the project or switch to a competing library not maintained by someone who makes decisions like this.
I'm imagining a conversation somewhere along the lines of:
Hey, I just got an email saying that our MPM account didn't have 2FA enabled. I think that's like really important, right? Why didn't you have it enabled?
Really sir? That is uh very concerning. They must of uh like um deleted our settings.
Deleted our settings?! That's outrageous! They can't do that! Those are OUR settings. You know what, just go ahead and only post it on our site from now on.
Post it on our site? Like a CDN? I mean it was probably just a glitch, I'll uh I'll just reset the security settings. Problem solved.
No. I doubt these MPM guys will be around a lot longer anyways. You will post it on our site only from now on, am I understood?
Good work, I'm going to go call the lawyers about this.
Not sure why one would want to use the sheetjs CDN for npm installs instead of just doing something like this(github based install):
npm package xlsx has 1.4 million weekly (!) downloads of outdated version 0.18.5.
@SheetJSDev It would be great if you could add a notice to the npm readme.
A warning during "npm install xlsx" would also be great, mentioning alternative install methods.
First, thanks for your amazing work on this library.
Because of security concerns, I prefer relying on npm up-to-date package with proper version management, immutable release binaries and
npm auditfacilities. I'm sure your users would appreciate an update of the well-known npm registry.
If the issue is 2FA related, other popular packages solved the issue. Without you explaining the other reasons, it is hard to understand the withdraw.
Have a nice day.
Highly disappointing that you won't reply to any of the above comments raised by users of SheetJS or at least post a notice on the npm readme.
Means millions still install from npm with no idea, and many must be paying for the pro version without realising what has happened. As someone said above, npm will be here forever basically wheras this CDN could end at any date.
While I do understand that there is more going on here than meets the eye I would like to raise an additional issue that is caused by this.
In the deployment pipeline of my company, access to the open internet is not possible for security reasons. We have our own registry which is basically a mirror of npm and we have the same for other popular registries (e.g. pip or Docker). This means that our build can only depend on things that are either on npm or already inside a project's repository. Anything besides that is strictly off limits and we are unable to get around this even with a proper proxy configuration.
We are therefore unable to use the latest version in production.
Whatever your matter with npm is, you should consider whether this drastic step is actually necessary. After all, it is only to your disadvantage because people keep using your project via npm but are not using the latest versions. This will hurt the project in the long term.
If this doesn't change within the next few months I will have no choice but to replace SheetJS with something else.