Nicholas Zakas
๐ค SpeakerAppearances Over Time
Podcast Appearances
And NPM was based on a package manager at Yahoo where I worked for five years called Yinst.
And Yinst was the way that all of the machines were built inside of Yahoo.
And these pre-install and post-install scripts could run in Yinst to help you set things up after you got resources installed.
And that turned out to be pretty helpful to be able to set up machines.
That was copied over into NPM with the same idea.
The difference, though, is that Yinst was an internal system.
So there was implicit trust with all of the packages that were published in Yinst.
For NPM being a public system, you don't have that implicit trust.
And I think that this is probably something Isaac would have rethought when he was designing the system, knowing what he knows now.
But
The NPM ecosystem kind of became dependent on those scripts because of the ability to publish native NPM packages that were actually compiled, like C, C++ packages, where you can't publish the compiled artifact itself because it has to be compiled individually for each machine.
And so these post-install scripts are what allow these native modules to be used and installed on any machine because it just downloads the source code and then on your machine it compiles it into the form that can be used and then you can just run it.
And there are a lot of packages that use that now because every once in a while somebody will say, well, we'll just ban pre-install and post-install packages.
But if you do that, you kill off a non-trivial portion
of packages on NPM that people are relying on.
And the other thing about that is you can actually say, NPM install dash dash ignore scripts, and it won't run any of those scripts.
And that's a great solution unless you end up with one of those packages in your dependency tree
that needs to be compiled, and you might not even be aware of it.
And so just disabling that or just always saying, like, don't run those scripts, that also has the effect of potentially breaking people's experiences in ways that they didn't anticipate.
And if you've ever had any trouble with a deep dependency that needs to be compiled that wasn't compiling, it is really difficult to debug.