未加星标

Why I'm Working on Yarn

字体大小 | |
[数据库(综合) 所属分类 数据库(综合) | 发布者 店小二04 | 时间 2016 | 作者 红领巾 ] 0人收藏点击收藏

(This post is about Yarn, a new JS package manager that was announced today .)

I work with Node and npm packages almost every day, on Tilde's main app, Skylight, or on one of Ember's many packages.

Many have remarked upon how fast the npm registry has grown, and it's hard to imagine working on any of my packages without the npm ecosystem.

I've also worked on a couple of application-level package managers ( Bundler for Ruby and Cargo for Rust), so it's no surprise that people have routinely asked me whether I'd consider writing a "bundler for node".

While it's something I considered idly from time to time, the truth is that for all of the complaints people have about the official client, it does a whole lot that people rely on, and the npm team has done a lot to improve it over the years. I genuinely respect their work, and believe that the hard work associated with maintaining a project the size and scope of the npm CLI client is vastly underappreciated.

So when I was first approached about helping with the Yarn project, I wasn't immediately sure I was interested. That changed quickly after talking with Sebastian McKenzie and James Kyle, two developers I have tremendous respect for, especially after working with them to integrate Babel into Ember.

There are a handful of "high order bits" that make me enthusiastic about the Yarn project.

First, it's no secret that major frameworks like Ember, Angular and React stress the limits of the official npm client. The team working on Yarn reached out to the major frameworks and made sure that Yarn would be a good fit for projects written using them.

In the month or so that I've worked on Yarn with a couple of dozen people from a bunch of companies, I was able to raise concerns and address them directly as an active contributor to the project. This makes me feel confident that, along with other contributors to Ember, I will be able to help shape Yarn into a project that effectively satisfies our needs.

Second (and relatedly), the Yarn project is set up as a community project, using a standard open source license, in its own GitHub organization, and set up to use the governance model that has worked effectively for Ember and Rust. This is something that I raised early with existing contributors to Yarn, and was very heartened by how enthusiastic everyone was about it.

This means that existing contributors and newer contributors work together to propose new features and other changes. In practice, I have seen this improve the decisions of the frequent contributors, and also provide a path for members of the community to write proposals, contribute code, and eventually become core contributors themselves. The exact details of Yarn governance are still being discussed on GitHub and we hope to finalize them soon.

Lastly, I believe in the core technical values of the project.

(It's not a coincidence that I write about the technical details last. I consider the technical details to be secondary to the way in which the project is set up to evolve. Technical mistakes can and will be corrected with a strong community, but not the other way around.)

I've written before that I consider predictability ("determinism") to be critical to projects like Yarn, especially in large applications.

From the get-go, the Yarn lockfile guarantees that repeatedly running yarn on the same repository results in the same packages.

This is true across time, across development machines, and when deploying applications to production. If I could have only one thing from Yarn, it would be this.

Second, Yarn attempts to have good performance, with a cold cache, but especially with a warm cache.

The Yarn that's shipping today already has good performance, but I think we can do even better.

Finally, Yarn makes security a core value.

Today, Yarn uses checksums to verify the integrity of every installed package before executing code. Interestingly, in addition to helping with security, checksums also help to avoid inadvertent errors caused by faulty caching or captive portals (something I have experienced repeatedly over the years, but which is devilishly tricky to track down without a full npm cache clean && rm -rf node_modules ).

There are a number of additional steps we could take to further improve the security of Yarn, and making security a core value from the get-go makes me confident we will continue to work on them as we continue to develop Yarn.

I'm looking forward to working with the existing contributors to Yarn and many future contributors to make Yarn an awesome tool for the entire Node community.

本文数据库(综合)相关术语:系统安全软件

主题: GitGitHubRustReactRuby
分页:12
转载请注明
本文标题:Why I'm Working on Yarn
本站链接:http://www.codesec.net/view/482177.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 数据库(综合) | 评论(0) | 阅读(33)