New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add deprecate guidelines doc [draft] #150

Open
wants to merge 2 commits into
base: master
from

Conversation

Projects
None yet
4 participants
@jchip
Copy link
Contributor

jchip commented Feb 5, 2019

No description provided.


## What consititutes an unmaintained package?

- The author is no longer responding to questions, issues, PRs, or making any updates.

This comment has been minimized.

@ljharb

ljharb Feb 5, 2019

Contributor

maybe worth qualifying here that they’re updates needed for particular reasons? if the only things the author is ignoring are feature requests the author doesn’t want, the package isn’t necessarily unmaintained.

- A different package that's more active and the author acknowledged as the replacement.
- Critical issues exist for the package and not being addressed
- Known vulnerabilities identified by `npm audit` or other parties
- Package is known to fail for LTS NodeJS

This comment has been minimized.

@ljharb

ljharb Feb 5, 2019

Contributor
Suggested change Beta
- Package is known to fail for LTS NodeJS
- Package is known to fail for LTS node.js
- semver violations (any non-bug fix break in a non-major, eg)

- File issue in repo to encourage author to deprecate a version that:
- Has known critical bugs and should be avoided
- Known to fail for LTS NodeJS

This comment has been minimized.

@ljharb

ljharb Feb 5, 2019

Contributor
Suggested change Beta
- Known to fail for LTS NodeJS
- Known to fail for LTS node.js

(not sure what NodeJS is :-p)


## Identify replacement

- If a package is fully unmaintained, then a replacement should be identify and add to the deprecate message.

This comment has been minimized.

@ljharb

ljharb Feb 5, 2019

Contributor
Suggested change Beta
- If a package is fully unmaintained, then a replacement should be identify and add to the deprecate message.
- If a package is fully unmaintained, then a replacement should be identified and added to the deprecation message.
## Identify replacement

- If a package is fully unmaintained, then a replacement should be identify and add to the deprecate message.
- If no replacement exist, then should identify the safe versions to use in deprecate message.

This comment has been minimized.

@ljharb

ljharb Feb 5, 2019

Contributor
Suggested change Beta
- If no replacement exist, then should identify the safe versions to use in deprecate message.
- If no replacement exists, then should identify the safe versions to use in the deprecation message.
- but only owners can `npm deprecate` a package.
- if author simply can't be reached and package is very outdated, then need to contact npm to get access to deprecate package.

* A cli to allow `npm deprecate` a range of versions on a package.

This comment has been minimized.

@ljharb

ljharb Feb 5, 2019

Contributor

that’s already how npm deprecate works

- if author simply can't be reached and package is very outdated, then need to contact npm to get access to deprecate package.

* A cli to allow `npm deprecate` a range of versions on a package.
* or `npm deprecate` versions with published date older than a given time

This comment has been minimized.

@ljharb

ljharb Feb 5, 2019

Contributor

that seems an interesting feature to propose to npm, but it’s out of scope of this group

- file high priority issues in the package's repo

- if npm audit identified vulnerabilities that are critical
- if package is broken or fail to install for a LTS release of NodeJS

This comment has been minimized.

@ljharb

ljharb Feb 5, 2019

Contributor
Suggested change Beta
- if package is broken or fail to install for a LTS release of NodeJS
- if fails to install/build for an LTS release of node.js

what constitutes “broken”?

- Has known critical bugs and should be avoided
- Known to fail for LTS Node.js
- Has known critical vulnerabilities

This comment has been minimized.

@Eomm

Eomm Feb 12, 2019

Member

Could we add "Suggest to join the package-maintenance program"?
Some package could need help and doesn't know we are here to help them (with tools almost)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment