New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: Change package manager to npm #20
Comments
For me that's the case already. I just use npm. I think we should allow
developers to use yarn or npm, we just should exclude the yarn.lock from
the project to keep it clean.
…On Wed, Dec 5, 2018, 07:41 Jurek Barth ***@***.***> wrote:
I would like to propose the change from yarn to npm package manager.
I would like to do so, because of npm audit and because it feels more
"native".
What do you think about it?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#20>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AITF7tH0QsmcF36Rfqd74tuIpmzi8uGRks5u12qugaJpZM4ZCGeC>
.
|
why remove it? we should keep commiting lock files to have reproducable behaviours, in our projects. |
@timomayer the problem is, that we need to update the yarn.lock file manually after each install of automatically before every push. This takes quite a time. In addition to that we should enforce NPM because of the audit feature. So we make sure no malicious packages get installed. |
@SheepFromHeaven ok the audit feature is a reason to switch back, i agree. |
@dannystey maybe you can look into that as well when you are doing the 2 bugfixes? |
@SheepFromHeaven @timomayer the audit feature isnt a reason to switch back anymore, as yarn has the audit feature since 1.12.0, but i would also prefer that the developer has the chance to decide if he/she likes to use yarn or npm. yarn imports the package-json.lock since version 1.7.0, so there is no need to have a yarn.lock in the repository. |
Done |
I would like to propose the change from yarn to npm package manager.
I would like to do so, because of npm audit and because it feels more "native".
What do you think about it?
The text was updated successfully, but these errors were encountered: