[MacPorts] #31161: npm: users should not run "npm update"

MacPorts noreply at macports.org
Wed Sep 7 20:01:07 PDT 2011 

#31161: npm: users should not run "npm update"
-------------------------------------+--------------------------------------
 Reporter:  ryandesign@…             |       Owner:  ciserlohn@…           
     Type:  enhancement              |      Status:  new                   
 Priority:  Normal                   |   Milestone:                        
Component:  ports                    |     Version:  2.0.2                 
 Keywords:                           |        Port:  npm                   
-------------------------------------+--------------------------------------
 According to the [http://npmjs.org/doc/faq.html#How-do-I-update-npm npm
 faq], users can update npm itself by running:

 {{{
 npm update npm -g
 }}}

 But we don't want users to do that; we want users to use MacPorts to
 upgrade software that was installed using MacPorts.

 I see two approaches we could use:

  1. Add a sentence to the `notes` field telling the user not to use "`npm
 update npm -g`"
   * Pros: easy to implement
   * Cons: easy for the user to ignore, forget, or overlook
  2. Override "`npm update npm -g`" and replace it with a message advising
 the user to run "`sudo port selfupdate && sudo port upgrade npm`" instead
   * Pros: eliminates possibility for user error
   * Cons: harder to implement

 I prefer option 2 if it's not too difficult. The ways I see of doing it
 are:

  2. Override "`npm update npm -g`"
   a. Write a wrapper script around npm
    * Pros: changes to npm won't necessitate rewriting the wrapper
    * Cons: if npm accepts optional arguments, or arguments in arbitrary
 order, getting the argument parsing right in the wrapper will be involved
   b. Patch npm
    * Pros: avoids a layer of abstraction for all the other npm commands
 the user will run
    * Cons: new versions of npm may invalidate our patches and require us
 to rewrite them

 A third possibility would be to get the developers of npm to include a
 configuration option to disable "`npm update npm -g`". Not sure if they
 would be willing to offer that.

-- 
Ticket URL: <https://trac.macports.org/ticket/31161>
MacPorts <http://www.macports.org/>
Ports system for Mac OS

More information about the macports-tickets mailing list