NPM Encourages Abandonware

I am using Gulp.js or just Gulp for automating the compilation of CSS stylesheets for the upcoming custom WordPress theme for this blog. In the process of getting that automation setup, I have concluded that NPM’s extremely lax requirements for adding a package to their servers have resulted in an explosion of abandonware.

One of Gulp’s useful advantages over a more traditional solution like make is its choice to pass virtual files around between stages of the processing chain. Parts of the Gulp chain can modify the contents of a file and pass on those modifications without writing them to disk and creating dozens or more temporary files that require exclusion from git and other tools. The most constructive use of this ability I have found so far is a tool that can replace strings in files based on variables I setup.

NPM manages Gulp’s dependencies and plugins. Since creating a new public NPM package is pretty easy, sharing a plugin you wrote doesn’t take any time. That all sounds great until you end up trying to use a plugin and find that no one has updated it for one or two major versions of Gulp. Worse yet is the situation where some dependency is several versions behind, and either is a security vulnerability itself or requires another dependency that is.

I don’t have time to maintain a public NPM package. I may fix one or two outdated plugins I am probably not going to share those fixes on NPM.

Yarn versus NPM

Over the last few days, I have had to use both Yarn and NPM to attempt to install two different programs for a couple of home networking experiments. The dependency packaging of Node projects leaves something to be desired. Problems with dependency fulfillment become especially apparent when the package manager pulls in dependencies that are several years out of date for some reason.

I eventually figured out which dependency was causing the problems and that a non-feature breaking update would solve the problem. Yay, I can get the problem solved quickly and get back to testing a new networking feature for my home lab. A yarn update node-gyp upgrade should have solved the problem.

Over 30 minutes of running around in circles trying to get yarn to update a transitive dependency. A short sequence of

  • Installing npm-check-updates
  • running npm-check-updates -u
  • and npm update

Meant I had node-gyp and several other outdated dependencies updated.

Yarn might be better than NPM for running a built Node package, but it isn’t the easiest to use when a dependency update is required.