Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upload package to NPM / Yarn Registries #7

Open
emanuelb opened this issue Apr 19, 2021 · 2 comments
Open

Upload package to NPM / Yarn Registries #7

emanuelb opened this issue Apr 19, 2021 · 2 comments

Comments

@emanuelb
Copy link

Currently using the package require using this repo via:

    "electrum-client": "https://github.com/BlueWallet/rn-electrum-client",

please upload it to NPM / Yarn Registries:
https://yarnpkg.com/package/rn-electrum-client
https://www.npmjs.com/package/rn-electrum-client

So it can be used instead with:

    "electrum-client": "rn-electrum-client",
@emanuelb emanuelb mentioned this issue Apr 19, 2021
Open
@Overtorment
Copy link
Member

what's the point? except putting a different string in your package.json?

@emanuelb
Copy link
Author

what's the point? except putting a different string in your package.json?

There are several benefits to using package instead of git repo (probably more exists as well):

  1. The git repo can be removed/relocated/changed in a way that will break the build, such as the commit used for locking no longer exists (full history rewrite happen) or the repo got deleted, etc... js packages in repos have safe-guard against such scenario (see the left-pad event and the changes that was applied to js packaging ecosystem afterwards)
  2. The packaging can result in smaller download (less files), also while js ecosystem not there yet, with widespread reproducible-builds matching git repo content to package content will bring more security to the packaging/build process.
  3. it doesn't require installing additional git package, thus less deps needed in release compilation.
  4. using tools that check package locking files for white-list entries make it's easier to verify if only 1 allowed domain is used (like npm or yarn registry) see: https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/ and the tool https://github.com/lirantal/lockfile-lint which can be run by npx lockfile-lint --path yarn.lock --allowed-hosts yarn --validate-https to ensure only yarn registry is used.
  5. packages are more supported with many tools (like proxy caching proxies, tools that check for newer/outdated/vulnerable versions, etc...)

you can also see the issue: bitcoin-dot-org/BitcoinWalletMobile#5 which is about this issue and why it's was opened (other project which I reviewd the build-process for use this repo)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@emanuelb @Overtorment