unpublishgate

How not to care about unpublishgate

So, you all heard about #npmgate a.k.a. #unpublishgate. Azer removed left-pad from the official npm registry and all hell broke loose. Most of npm builds in the world are failing today because a tiny (17 lines of js code!), but very popular library was obliterated from a central repository  (which teaches us a lesson about how central repositories should behave, but that’s a topic for another blog post. Teaser – Bintray does it right).

How did it happened that the whole Node.js industry was affected? Artifact repositories, like JFrog Artifactory, while standard in the Java world, aren’t used enough in the JavaScript world. So it’s considered normal for a JavaScript build to go to the central npm registry directly. We heard a lot of rationalization why it’s OK (the dependencies are few, their updates are rare, Artifactory is an overkill), and here we are. So, the organizations that use Artifactory go like:

popcorn-eating
All the rest wish they had one.

In the meantime, if you’re affected you can use JFrog’s public Artifactory instance. It has the removed artifact (click on the Set Me Up for instructions on how to make npm work with it).

Leave a Reply

Please type the code shown*


Can't read the image? click here to refresh

It's Time to Trust Your Software! Artifactory Bintray JFrog Mission Control Xray
Popular Posts