This repository has been archived by the owner on May 1, 2024. It is now read-only.
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
-
I published a data parser package on NPM. The package has one dependency, xlsx. The xlsx package on NPM is not current, so I'm downloading the dependency from outside of NPM using a URL in my package.json file.
When I look at the dependency tab on the NPM website and click on the xlsx dependency, I go to the xlsx page on the NPM website, however, I'm not using any version on xlsx offered by NPM. It's a package outside of NPM that happens to have the same name as a package on NPM.
I feel like in this case, it would be possible to create a package that supposedly uses a popular dependency, but instead, downloads a package from another source, labelled as that dependency.
There's no warning about the use of an external package on the website or when installing it through the CLI. I think there should be some sort of notification in the CLI to agree to downloading a package from outside NPM. I think also that the dependencies tab on the NPM website should not link to the page of a package that coincidentally has the same name when the package is coming from outside NPM, but instead show the URL of where the dependency is actually coming from.
Beta Was this translation helpful? Give feedback.
All reactions