optionalDependences in registry not the same as package.json #1057
-
|
https://registry.npmjs.org/esbuild/0.19.10 lists all the packages in the I'm working on a build tool and trying to reason about the optional dependencies of a package using metadata so I don't have to download full package sand then reject them |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
You always need to download the full package; see https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem |
Beta Was this translation helpful? Give feedback.
-
|
Thanks. This is also a bit scary because I was using the list of versions
in the registry to resolve version specifiers. I think I’m still fine for
that use case but I’ll switch to full downloads in the future and point
people to this issue for the reason.
Thanks
…On Thu, Dec 28, 2023 at 3:16 PM Jordan Harband ***@***.***> wrote:
You always need to download the full package; see
https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem
—
Reply to this email directly, view it on GitHub
<#1057 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAQGASHCLBZ2JV2G6KRUAXTYLXHS7AVCNFSM6AAAAABBF3EWAKVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TSNRXHA2TG>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
You definitely can rely on the version metadata, it's just the packument contents that come from the publisher that you can't trust. |
Beta Was this translation helpful? Give feedback.
You always need to download the full package; see https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem