NPM Encourages Abandonware

Written by: Robert R. Russell on Wednesday, July 29, 2020.

I am using Gulp.js or just Gulp for automating the compilation of CSS stylesheets for the upcoming custom WordPress theme for this blog. In the process of getting that automation setup, I have concluded that NPM’s extremely lax requirements for adding a package to their servers have resulted in an explosion of abandonware.

One of Gulp’s useful advantages over a more traditional solution like make is its choice to pass virtual files around between stages of the processing chain. Parts of the Gulp chain can modify the contents of a file and pass on those modifications without writing them to disk and creating dozens or more temporary files that require exclusion from git and other tools. The most constructive use of this ability I have found so far is a tool that can replace strings in files based on variables I setup.

NPM manages Gulp’s dependencies and plugins. Since creating a new public NPM package is pretty easy, sharing a plugin you wrote doesn’t take any time. That all sounds great until you end up trying to use a plugin and find that no one has updated it for one or two major versions of Gulp. Worse yet is the situation where some dependency is several versions behind, and either is a security vulnerability itself or requires another dependency that is.

I don’t have time to maintain a public NPM package. I may fix one or two outdated plugins I am probably not going to share those fixes on NPM.

©2020 Robert R. Russell — All rights reserved

Current Opinions on Web Design
No Post Today