Many packages on npm are designed to make changes to the file-system, such as rimraf or a code linter. When it’s unclear whether the right package was installed, there is always potential for accidents. Npm removes malicious packages, but risks mentioned above are not limited to attacks. Potential for accidents #Īs with any popular package registry, npm has a diverse collection with no standard for quality. This confusing behavior compounds to the poor usability and predictability of npm link. Or keep track of the previously linked packages. In development, we don’t always know ahead of time all the packages that need to be linked. While this works, it’s not a great developer experience. pkg-b added 1 package, and audited 6 packages in 645ms found 0 vulnerabilities $ ls node_modules pkg-a pkg-b Running npm link installs binary random-command: In this example package, an arbitrary binary name random-command is specified in the package.json file: The implications of this unexpected behavior can be quite serious given packages can declare binaries with arbitrary names. So, if your package has a bin field, npm linking it will make it available as a CLI command.Ĭonsidering npm link is a tool for testing a package in development, global binary installation can be an unexpected and undesired side-effect. ) is a type of package installation used to make binaries available as a system-wide CLI command. Global package installation ( npm install -global. This happens in the shortcut as well, because it just automates the two steps. The first step of npm link installs the package globally. Especially when compounded with having multiple Node.js versions. The lack of a proper fail case makes using npm link a confusing and frail process. Terminal $ realpath node_modules/package-name ~ /my-linked-package Note: this is the same thing as running npm install -global. Run npm link in my-library to install it globally, making it possible to link my-library to any local project.
My-application: the package/project you want to test in The name property in my-library/package.json should be my-library.
My-library: an npm package that you want to test in another package as a dependency. Read more about it in the official documentation. It is commonly used for testing packages before publishing them. Npm link is a command-line tool for symlinking a local package as a dependency during development. No fail-case and unexpected fallback to npm registry.Error-prone with multiple Node.js versions.Npx link is a tool I developed as a safer and more predictable alternative to npm link.Īvoid using npm link because of the following footguns:
0 kommentar(er)
