<pikajude>
npm got broken because a package was removed
<pikajude>
aint that some shit
<jfhbrook>
ehhh
<jfhbrook>
it coulda happened to anyone
<jfhbrook>
the real question is whether npm did the right thing or the wrong thing
<jfhbrook>
I think it was shit soup and they did the best they could, but might still be wrong
<pikajude>
I think the best thing to do would be to notify users of unpublishing and delay it for a few days or something
<pikajude>
or have a specific npm message for it
<ljharb>
they totally did the right thing
<ljharb>
unpublishing imo shouldn't even be possible without going through an npm person
<ljharb>
and the author who did the unpublishing is a huge jerk - no matter how upset they are that copyright and laws exist, breaking people is never excusable.
<eligrey>
on the other hand it becomes popular and everyone puts it on their cars and blasts uv at your retinas
<eligrey>
so we should ban its use in cars but not for me
<eligrey>
on* cars
alexgordon has joined #elliottcable
<alexgordon>
ELLIOTTCABLE: yo
<alexgordon>
incomprehensibly: yo
<ELLIOTTCABLE>
alexgordon: hi lovlie
<alexgordon>
still on the drugs eh?
<ELLIOTTCABLE>
ljharb: what happened?
<ELLIOTTCABLE>
jfhbrook: burnout? tell me more
<alexgordon>
ELLIOTTCABLE: didn't you see the glorious js drama
<jfhbrook>
ELLIOTTCABLE: well, I just came into work last week and just couldn't even
<jfhbrook>
ELLIOTTCABLE: and I went to my boss thursday and basically demanded this week off, and here we are
<alexgordon>
ELLIOTTCABLE: some guy made a package called "kik". kik messenger owns the trademark to "kik" so they told him to change it. He said no. So they asked npmjs.com to change it, and they did
<alexgordon>
ELLIOTTCABLE: guy proceeds to get VERY ANGRY and takes down all his packages
<alexgordon>
(and writes a Medium about it)
<alexgordon>
now everybody's build is broken because they didn't vendor their deps
<alexgordon>
and alexgordon is laughing his arse off
<ELLIOTTCABLE>
alexgordon: er. why would you vendor dependencies. lolno.
<purr>
lolololol
<ELLIOTTCABLE>
as for unpublishing, as ljharb: I think unpublishing should definitely be possible …
<alexgordon>
ELLIOTTCABLE: lots of javascript programmers learnt why today
<ELLIOTTCABLE>
… *unless* you declare your code under a specific, supported Open license, in which case the versions released under that license should be cached, hosted, and resolved forever
<ELLIOTTCABLE>
lol no.
<ELLIOTTCABLE>
vendoring is terrible.
<alexgordon>
ELLIOTTCABLE: for libraries, yes
<alexgordon>
ELLIOTTCABLE: but if you're running a business, then you have absolutely got to have your dependencies in your fucking soure control
<alexgordon>
otherwise you waste a whole day because some dude deleted 100 of his npm modules
<ELLIOTTCABLE>
jfhbrook: well! enjoy your week off!
<ELLIOTTCABLE>
step one is to stay the fuck off the computer. hint hint.
<ELLIOTTCABLE>
make yourself *thirsty* for code.
<ELLIOTTCABLE>
read yourself into fucking bored tears, or go outside and let the stupid sun sear you silly
<alexgordon>
I'm so bored
<jfhbrook>
I'm reading and seeing friends and haven't touched any code beyond an interesting issue on one of my oss projects
<jfhbrook>
oh and checking out SO Careers
<jfhbrook>
for the first time in a *long* time someone hit me up with something that doesn't sound like *total* garbage
<jfhbrook>
so now I'm really conflicted
<jfhbrook>
but protip, apparently properly filling out the mission statement for online resumes helps a *ton* with recruiter relevance!
<ljharb>
it's not that you should "vendor" anything
<ljharb>
it's that you should a) never deploy from <third party internet site>
<ljharb>
b) use semver ranges
<ljharb>
c) only shrinkwrap top-level apps, and always do so
<ljharb>
d) don't unpublish shit that people are using
<ljharb>
you don't have to put your deps in source control, you just need a free internal npm registry