This repository has been archived by the owner. It is now read-only.

Can't install gulp-babel with npm #12012

Closed
justintemps opened this Issue Mar 22, 2016 · 23 comments

Comments

Projects
None yet
@justintemps

npm gives me this error: No compatible version found: left-pad@0.0.3

@othiym23

This comment has been minimized.

Show comment
Hide comment
@othiym23

othiym23 Mar 22, 2016

Contributor

The maintainers of left-pad have chosen to unpublish it, for reasons that are not yet clear. This is not an issue with npm, but is something that should be taken up with both the maintainers of left-pad and those of babelify, gulp-babel, and the other users of left-pad. As this isn't an issue with the npm CLI, there really isn't much the CLI team can do.

Contributor

othiym23 commented Mar 22, 2016

The maintainers of left-pad have chosen to unpublish it, for reasons that are not yet clear. This is not an issue with npm, but is something that should be taken up with both the maintainers of left-pad and those of babelify, gulp-babel, and the other users of left-pad. As this isn't an issue with the npm CLI, there really isn't much the CLI team can do.

@othiym23 othiym23 closed this Mar 22, 2016

@givanse

This comment has been minimized.

Show comment
Hide comment
@givanse

givanse Mar 22, 2016

duh! thanks 👍

givanse commented Mar 22, 2016

duh! thanks 👍

@elad-maimon

This comment has been minimized.

Show comment
Hide comment
@elad-maimon

elad-maimon Mar 22, 2016

Same issue here.
That means it's impossible to install babel-core since left-pad@0.0.3 is a dependency of it..

Same issue here.
That means it's impossible to install babel-core since left-pad@0.0.3 is a dependency of it..

@othiym23

This comment has been minimized.

Show comment
Hide comment
@othiym23

othiym23 Mar 22, 2016

Contributor

@elad-maimon That's true! But this isn't an issue that the npm CLI team can fix. If you look at stevemao/left-pad#4, you'll see that the Babel collaborators are working on getting out a fixed version of babel-core that doesn't depend on the unpublished version of left-pad.

Contributor

othiym23 commented Mar 22, 2016

@elad-maimon That's true! But this isn't an issue that the npm CLI team can fix. If you look at stevemao/left-pad#4, you'll see that the Babel collaborators are working on getting out a fixed version of babel-core that doesn't depend on the unpublished version of left-pad.

@definitelycarter

This comment has been minimized.

Show comment
Hide comment
@definitelycarter

definitelycarter Mar 22, 2016

Just curious, why is it possible to unpublish a module that is depended on others? Seems like NPM folks should validate that.

Just curious, why is it possible to unpublish a module that is depended on others? Seems like NPM folks should validate that.

@sammosampson

This comment has been minimized.

Show comment
Hide comment
@sammosampson

sammosampson Mar 22, 2016

yep this really screws up a lot of things including react native

yep this really screws up a lot of things including react native

@elad-maimon

This comment has been minimized.

Show comment
Hide comment
@elad-maimon

elad-maimon Mar 22, 2016

@othiym23 sure I'm sorry, I'm following stevemao/left-pad#4. Thanks!

@othiym23 sure I'm sorry, I'm following stevemao/left-pad#4. Thanks!

@givanse

This comment has been minimized.

Show comment
Hide comment
@givanse

givanse Mar 22, 2016

babel-core doesn't depend on it directly apparently, its more of a dependency of a dependency...

givanse commented Mar 22, 2016

babel-core doesn't depend on it directly apparently, its more of a dependency of a dependency...

@othiym23

This comment has been minimized.

Show comment
Hide comment
@othiym23

othiym23 Mar 22, 2016

Contributor

Just curious, why is it possible to unpublish a module that is depended on others?

Because there may be a critical security flaw, or the package may contain sensitive information and have been published in error, or any of a host of other issues. I agree that this is inconvenient, but this is a necessary feature in a registry to which anybody can contribute packages.

Contributor

othiym23 commented Mar 22, 2016

Just curious, why is it possible to unpublish a module that is depended on others?

Because there may be a critical security flaw, or the package may contain sensitive information and have been published in error, or any of a host of other issues. I agree that this is inconvenient, but this is a necessary feature in a registry to which anybody can contribute packages.

@joeandaverde

This comment has been minimized.

Show comment
Hide comment
@joeandaverde

joeandaverde Mar 22, 2016

@othiym23 would it have been possible for him to publish the same version WITH a security flaw?

@othiym23 would it have been possible for him to publish the same version WITH a security flaw?

@othiym23

This comment has been minimized.

Show comment
Hide comment
@othiym23

othiym23 Mar 22, 2016

Contributor

@joeandaverde I'm not sure what you mean.

Contributor

othiym23 commented Mar 22, 2016

@joeandaverde I'm not sure what you mean.

@definitelycarter

This comment has been minimized.

Show comment
Hide comment
@definitelycarter

definitelycarter Mar 22, 2016

Because there may be a critical security flaw, or the package may contain sensitive information and have been published in error, or any of a host of other issues. I agree that this is inconvenient, but this is a necessary feature in a registry to which anybody can contribute packages.

I think in that scenario npm install left-pad@0.0.4 could fail but the other modules that depend on it should succeed.

Those authors should be notified when a version they depend on is unpublished. Allowing their module to work and find and upgrade path.

Because there may be a critical security flaw, or the package may contain sensitive information and have been published in error, or any of a host of other issues. I agree that this is inconvenient, but this is a necessary feature in a registry to which anybody can contribute packages.

I think in that scenario npm install left-pad@0.0.4 could fail but the other modules that depend on it should succeed.

Those authors should be notified when a version they depend on is unpublished. Allowing their module to work and find and upgrade path.

@joeandaverde

This comment has been minimized.

Show comment
Hide comment
@joeandaverde

joeandaverde Mar 22, 2016

@othiym23 If he can remove a package, surely he can re-add with the same version. Wouldn't that give him the opportunity to upload a malicious version?

@othiym23 If he can remove a package, surely he can re-add with the same version. Wouldn't that give him the opportunity to upload a malicious version?

@seldo

This comment has been minimized.

Show comment
Hide comment
@seldo

seldo Mar 22, 2016

Contributor

@joeandaverde: it is not possible to republish a package with the same version as an unpublished version.

Contributor

seldo commented Mar 22, 2016

@joeandaverde: it is not possible to republish a package with the same version as an unpublished version.

@redconfetti

This comment has been minimized.

Show comment
Hide comment

For reference: azer/left-pad

@krainboltgreene

This comment has been minimized.

Show comment
Hide comment
@krainboltgreene

krainboltgreene Mar 22, 2016

Just so it's clear: This is how rubygems operates as well. We (package managers) have to be able to remove access to published libraries for a variety of reasons.

Sadly there's no computer program in existence that can make sure removing is for the right reason.

Just so it's clear: This is how rubygems operates as well. We (package managers) have to be able to remove access to published libraries for a variety of reasons.

Sadly there's no computer program in existence that can make sure removing is for the right reason.

@givanse

This comment has been minimized.

Show comment
Hide comment
@givanse

givanse Mar 22, 2016

The problem is not the ability to do those things. It is needed.

What is needed is improved communication. Make it very loud and obvious that the package was removed so that the maintainers can decide to add it back or not.

npm install

Should fail for packages that were re-published, so that they get be approved by consumers again.

givanse commented Mar 22, 2016

The problem is not the ability to do those things. It is needed.

What is needed is improved communication. Make it very loud and obvious that the package was removed so that the maintainers can decide to add it back or not.

npm install

Should fail for packages that were re-published, so that they get be approved by consumers again.

@elad-maimon

This comment has been minimized.

Show comment
Hide comment
@elad-maimon

elad-maimon Mar 22, 2016

@othiym23 as a suggestion maybe instead of removing it allow the publisher to mark it as deprecated or something else that will show a warning ?

After all, if a package has been removed it won't make any difference for running applications, it will just stop the development process since "npm install" won't work. So IMHO a warning should be enough to continue working while opening a bug for the maintainers to bump a version in their dependencies.

@othiym23 as a suggestion maybe instead of removing it allow the publisher to mark it as deprecated or something else that will show a warning ?

After all, if a package has been removed it won't make any difference for running applications, it will just stop the development process since "npm install" won't work. So IMHO a warning should be enough to continue working while opening a bug for the maintainers to bump a version in their dependencies.

@krainboltgreene

This comment has been minimized.

Show comment
Hide comment
@krainboltgreene

krainboltgreene Mar 22, 2016

@elad-maimon Here's the Rubygems ongoing discussion on this feature: rubygems/rubygems#1506

@elad-maimon Here's the Rubygems ongoing discussion on this feature: rubygems/rubygems#1506

@bjrmatos

This comment has been minimized.

Show comment
Hide comment
@bjrmatos

bjrmatos Mar 22, 2016

Because there may be a critical security flaw, or the package may contain sensitive information and have been published in error, or any of a host of other issues. I agree that this is inconvenient, but this is a necessary feature in a registry to which anybody can contribute packages.

@othiym23 i understand those reasons but it is practically unacceptable that if someone decides to unpublish a package that decision affects a lot of installs and practically break the whole build in our projects :(

Because there may be a critical security flaw, or the package may contain sensitive information and have been published in error, or any of a host of other issues. I agree that this is inconvenient, but this is a necessary feature in a registry to which anybody can contribute packages.

@othiym23 i understand those reasons but it is practically unacceptable that if someone decides to unpublish a package that decision affects a lot of installs and practically break the whole build in our projects :(

@krainboltgreene

This comment has been minimized.

Show comment
Hide comment
@krainboltgreene

krainboltgreene Mar 22, 2016

@bjrmatos: That's a great ideal until someone publishes your home address or social security number.

Alternatively: It's the author's content, not the users.

@bjrmatos: That's a great ideal until someone publishes your home address or social security number.

Alternatively: It's the author's content, not the users.

@othiym23

This comment has been minimized.

Show comment
Hide comment
@othiym23

othiym23 Mar 22, 2016

Contributor

As this is well beyond the scope of the CLI, and as there isn't any new or useful discussion happening here, I'm going to lock this thread. Thanks to all who helped in quickly responding to this issue, and I'm genuinely sorry this created so much awkwardness and wasted time for so many.

Contributor

othiym23 commented Mar 22, 2016

As this is well beyond the scope of the CLI, and as there isn't any new or useful discussion happening here, I'm going to lock this thread. Thanks to all who helped in quickly responding to this issue, and I'm genuinely sorry this created so much awkwardness and wasted time for so many.

@npm npm locked and limited conversation to collaborators Mar 22, 2016

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.