-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Maybe need a package management tool #47
Comments
@hstarorg I'm against having a package manager. I think other things including npm are more network depended, here is why:
Why (i think) importing from URLs is a good idea?Deno uses a built-in cache system so you don't need to download a bunch of things. (that you already downloaded for your other projects)
You already do that in NPM!and it's easier in Deno as you only have to import one file per dependency wherever you need that : ) |
@qti3e will the code autocompletion or IDE relate stuff work with that? |
package name in package.json is a shortcut to an actual URL anyways. |
@sandangel not yet, but it's not a hard task, there are only two differences between a Deno file and a regular ts file:
|
@qti3e I'm curious, so what is the strategy to reuse thousands of js, ts library out there when they are using normal require() // js and import // ts |
@sandangel well, I'll dive into this issue next week and see if I can write a Node to Deno converter or not : ) (FYI; Probably I'm gonna parse AST and insert file extensions to module names, also I'm thinking of converting npm imports (package name) to unpkg urls) If you have any other idea please let me know : ) |
@sandangel The idea is to explore what a simpler runtime could be. It may indeed to too tedious to link to URLs (but Go seems to do fine by it). I think the project looks like it's is going well I will write a source rewriting tool for converting old programs. |
@ry and the tool you have just said works just like a package manager ^^. It downloads the package, converts it so it can be import with url, adds the import to the source code. Am I wrong? :) |
Version control for package is important. Something like go-dep |
@wujohns Bear in mind that with the third-party service unpkg, you can use URLs to depend on npm packages with the same version ranges that you use in your package.json file, ala https://unpkg.com/deepmerge@~1.4.2 -> https://unpkg.com/[email protected]/dist/cjs.js |
@TehShrike but having a cli tool just makes life easier ^^ |
How to process multilayer deps? For example: A depend B, B depend C? |
i think a package manage tool like npm is needed, because we are lazy, we want to make it easy to use, writing urls is really not a happy things to everyone. you want everyone use it, you should make them happy to use itk. |
Deno is browser-compatible, so any packager(bower, unpkg and npm) are available, too. |
problem of finding and typing URLs can be solved via vscode plugins, or a siri plugin - no need why that complexity should be in something which goal is to make things lighter |
Even if you dont have a package manager there should be a central place to list dependencies. Are we going to write the absolute url in each file? How does it work? |
after the version of npm3, the “black hole” is flattened |
Ryan's talk makes it explicit that a package server would handle semantic versioning as part of the URL.
It just looks different, but in practice, it isn't very "flat". |
The idea with the URL imports is that deno acts as its own package manager. I explicitly want to avoid the need for ancillary tooling. |
I love the idea of url imports because it makes it easier for us to experiment with ideas like |
@jedahan Use this style, your code should be very hard to share. |
@hstarorg hard to share in that not everyone will have a system-level resolver, I agree. But there are so many good solutions for this, and what I like is that it seems deno is making decisions that don't explicitly stop us from trying any of them:
|
When using go to program, the biggest problem I encountered is package manage. I am afraid to use a language without official package manage tool. ex: go, it has many tools for So I think the result of the “import from url” will be that many new tools are created for connecting npm and dyno. Maybe this result is good for most of the people |
@wujohns Many options that will difficult to choose. Split package management will cause the package in many tools. |
@hstarorg So the official tool or central repository is important. Fortunately we have npm, the new tools's core will be it (there is actually only one choice) |
@wujohns A npm like tool is very important, also need fix some npm defect. |
Guys, without any package manager, we will end up using plenty of lodash source in one single application, so instead of using 4mb of lodash, we're going to hack up the memory up to 40mb because of 10 different packages, use almost the same lodash version, but bundled so every import will take it also. This is ridiculous. |
@cojack that is what tree shaking is for |
People saying deno needs a package manager like NPM... what if you just use NPM as the package manager?? |
@randfur You could if you want to, as long as the module uses JavaScript and not CommonJS for it's resolution system( it's the beauty of Deno ) A package manager can't be implemented cause it would limit the resources from which a JS module can be imported from(requires a metadata file, a standard to validate versions, a min runtime version, etc) According to ECMA standards, any valid JS file is a module of sorts, and Deno's team seems to be of this same mind |
One of my favorite things about just my 2 cents, but I personally wish Deno had created its own standard/blessed way of managing deps rather than a best-intentions recommendation of putting all your deps in a single file. |
@dummyuser10 check out |
I'm still think this way to import packages will be really insecure. Security is first! I mean, over 80% of devs today copy and paste the classic Other way to understand this, is with the known import { express } from 'https://malicious-cdn.com/libs/express/express.ts' All it's ok, run perfect and offer the lastest This is 100% possible with NPM, but we know that npm can remove it in Deno not. I see the difference between both easily, but how I can trust in that CDN?
I know that Deno have other philosophy of security over runtime, but obviously if a package need write and read permissions the developers will give them. What plans have about this? Is the cost of decentralization? Packages over "Deno Proxy"Could be a optional global package register, but not store the files? Maybe like a proxy for deno packages because with that flow Deno could give some security to developers and block malicious packages. For example: import { express } from 'https://malicious-cdn.com/libs/express/4.17.1/express.ts'; I'm still using malicious package but when start app, Deno proxy check the URL if is not in the blacklist packages. I say optional because can be good idea turn off "Deno proxy" if the developer don't want use it, like with a privates repositories. Also could integrate with a list of trusted domains will not pass to the Deno proxy |
Maybe my last comment could transform in a business model 😆 |
Also what can be happen with the most used packages when they don't have enough backers for host files and support all traffic with the URL model?. I mean think in lodash, tslib, axios, express, moment, etc. with the current developers demand. I see the natural movement of companies to offer freemium/paid host to open source packages, that could end in a centralizated host. I don't say will be a bad idea use URL but the developers need a secure model to import packages with the accessibility and security like fundamentals. |
This misunderstands the issue. In Node, if I depend on A, and A depends on B, and B releases a critical security patch, I can apply that patch immediately by running a single command. I don't have to wait for A to release a new version. And if, as is often the case, I depend on packages A through Z, all of which depend on B, I don't have to wait for dozens of different package maintainers to release new versions before I can be rid of the vulnerable version of B. As I understand it, in deno, whether you plumb imports through Other languages do things this way, and for all I know it's better that way. But, the existing module culture of node ("make lots of packages, depend on loooooots of packages") will not be able to exist in deno due to this issue. |
The idea of a proxy seems interesting, I will even travel a bit, maybe it could even be maintained by the NPM itself, something like, I want such a package, it would do something like import {module} from "npm.org?package=namespace/module.ts&package_version=1.&platform=deno&npm_package_version=", there at NPM they would get the package, all its subdependencies, package and deliver everything only in a single module file, from the moment he assembled the package the first time , it would already be cache for all the others, to keep updated, they could generate a new package every time there is an update in the main module or in its dependencies and create a versioning system for the packaged modules, like an npm_package_version. |
Another comment here from someone who sees benefit in the package.json listing all the different packages that a project has. One thing that I wonder is, what happens if we need to upgrade a package to a new version? In node we could update the package.json and keep the "require('express')" for example. But in deno I understand we should go through every file and update it there. To me there should be a better way to address this issue because we could have the case in which some file is left unchanged and an old api is used unexpectedly or a security issue remains. I like the solution from @kitsonk using the deps.ts, but I see we as developers should reexport the functions / classes from each one of our dependencies. In terms of maintenance I think deno could have something like the package.json to make this mapping, for example: {
"dependencies": {
"react": "https://the-cdn-url-here@version"
}
} and then in the file just use Keep up the good work guys! :) |
@juanpenarandaosf you are asking for import maps basically, which are already a thing |
Beautiful! thank you |
I've created make-deno-edition to make npm packages written in typescript compatible with deno - is working on badges - usage proof of this here https://repl.it/@balupton/badges-deno - has been used now to make 32 node packages compatible with deno - you can use project to automatically generate the readme instructions for the deno edition - and can use boundation to automatically scaffold your projects to automate the entire process - start-of-week is an example where different entries are used for node, deno, and web browsers |
It's been mentioned a few times, but it seems some of you fail to read the documentation. Deno has support for "importmaps", which serve to alias import URL's to human-readable strings or "package names". https://deno.land/manual/linking_to_external_code/import_maps For the lazy, this means you create a file called "import_map.json" and populate it with your projects dependencies. Shockingly (coincidence?) similar to how package.json works... By definition, this is package management. Just because there is no magical CLI to update and manage this file for you, does not mean there is no way to manage and centralize your project's dependencies. Further, if any of you wish to create a tool to do this, you are more than welcome. Edit: for the people comparing a JS runtime to Go and Kotlin... Really? |
In the official website manual, they are using the deps.ts file solution. So what is the best solution, import maps or deps file ? There shouldn't be 2 ways of doing the same thing as it is promoted by deno, for example the builtin utilities like fmt, lint or tests so everyone in deno use the same linter and formatter, no need to struggle with ESLint or Prettier configuration since everyone follows the same configurations and conventions. I don't know if it's related to the issue (excuse me if it's not) : In Node.js in package.json there is a "scripts" object to easily execute long repetitive command, in deno it doesn't exist and it is all the more true with deno because of the security flags, so everytime you want to execute your deno script you must remember all the flags and options ? Note : Since I'm mostly a Node.js developer, I'm new to the deno world, but really like some of the concepts promoted by deno and looking forwards to see the improvements. Excuse me if I'm saying something wrong. |
importmaps are a web standard, so deno implemented it. deps.ts is just a convetion people like to use. the reason people use deps.ts is because importmaps cant be used by modules, only by the final product. |
OK now I'm confused, why import maps and not standard typescript paths mapping? Specially since |
Because import maps are a browser standard that also work for JS (not only typescript) |
@lucacasonato how about support for |
@IRoninCoder TypeScript paths aren't meant to be used with URLs (which would require extra thinkering in the TS side to make it work like that) and it would complicate a lot more the module resolution system Deno uses, rather than just appending import maps to it. Also, see #7732 which would effectively remove the capability to do that. |
|
Regarding the above, to reiterate, https://github.com/bevry/make-deno-edition generates a compatible edition with all necessary path remapping automatically performed; for local deps, deno deps, and node_module deps. |
I am new to deno. after reading the deno manual and this artical my mind mess up. have no idea what's the best solution for dependence management... |
@loohoo You can use deps.ts and mod.ts without concern. That article and benchmark was written before we had incremental TypeScript compilation. It is not up to date anymore. |
NPM was easily abused, and Deno library is easier. See: https://www.veracode.com/blog/research/abusing-npm-libraries-data-exfiltration. We have to build both good package management and good repo central like Java and C# have. |
Import from url is very hard to use. I think is not a good idea.
If so,
Like C#\Java, the nuget and maven is good for use. Maybe use that mode can help us manage the packages.
The text was updated successfully, but these errors were encountered: