--
What we're seeing in practice is just weird and broken behavior,
usually because an old version of something (say, a package from 2
years ago, which doesn't work on modern node) might have no engines
specified, but a newer version of the same package (which works fine
on 0.8) has "engines":{"node":"0.6.x"} specified. So, npm tries to
find the most recent version that it thinks will work, and it gets
0.1.2 (which is broken and old) instead of 4.8.12 (which is new, and
works). That's the opposite of the intent. A nag would be more
appropriate in that case, I think.
That suggests a twofold approach:
1) bug authors to fix their metadata
2) allow user intervention on a package-by-package basis to override.
Globally ignoring metadata sounds like a recipe for DLL-hell
> nodejs+unsubscribe@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/nodejs?hl=en?hl=en
>
> --
> Job Board: http://jobs.nodejs.org/
> Posting guidelines:
> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
> You received this message because you are subscribed to the Google
> Groups "nodejs" group.
> To post to this group, send email to nod...@googlegroups.com
> To unsubscribe from this group, send email to
> nodejs+unsubscribe@googlegroups.com
>> > nodejs+unsubscribe@googlegroups.com
>> > For more options, visit this group at
>> > http://groups.google.com/group/nodejs?hl=en?hl=en
>> >
>> > --
>> > Job Board: http://jobs.nodejs.org/
>> > Posting guidelines:
>> > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
>> > You received this message because you are subscribed to the Google
>> > Groups "nodejs" group.
>> > To post to this group, send email to nod...@googlegroups.com
>> > To unsubscribe from this group, send email to
>> > nodejs+unsubscribe@googlegroups.com
>> > For more options, visit this group at
>> > http://groups.google.com/group/nodejs?hl=en?hl=en
>
> --
> Job Board: http://jobs.nodejs.org/
> Posting guidelines:
> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
> You received this message because you are subscribed to the Google
> Groups "nodejs" group.
> To post to this group, send email to nod...@googlegroups.com
> To unsubscribe from this group, send email to
> nodejs+unsubscribe@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/nodejs?hl=en?hl=en
>> > nodejs+unsubscribe@googlegroups.com
>> > For more options, visit this group at
>> > http://groups.google.com/group/nodejs?hl=en?hl=en
>> >
>> > --
>> > Job Board: http://jobs.nodejs.org/
>> > Posting guidelines:
>> > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
>> > You received this message because you are subscribed to the Google
>> > Groups "nodejs" group.
>> > To post to this group, send email to nod...@googlegroups.com
>> > To unsubscribe from this group, send email to
>> > nodejs+unsubscribe@googlegroups.com
>> > For more options, visit this group at
>> > http://groups.google.com/group/nodejs?hl=en?hl=en
>
> --
> Job Board: http://jobs.nodejs.org/
> Posting guidelines:
> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
> You received this message because you are subscribed to the Google
> Groups "nodejs" group.
> To post to this group, send email to nod...@googlegroups.com
> To unsubscribe from this group, send email to
> nodejs+unsubscribe@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/nodejs?hl=en?hl=en
>> > nodejs+unsubscribe@googlegroups.com
>> > For more options, visit this group at
>> > http://groups.google.com/group/nodejs?hl=en?hl=en
>> >
>> > --
>> > Job Board: http://jobs.nodejs.org/
>> > Posting guidelines:
>> > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
>> > You received this message because you are subscribed to the Google
>> > Groups "nodejs" group.
>> > To post to this group, send email to nod...@googlegroups.com
>> > To unsubscribe from this group, send email to
>> > nodejs+unsubscribe@googlegroups.com
>> > For more options, visit this group at
>> > http://groups.google.com/group/nodejs?hl=en?hl=en
>
> --
> Job Board: http://jobs.nodejs.org/
> Posting guidelines:
> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
> You received this message because you are subscribed to the Google
> Groups "nodejs" group.
> To post to this group, send email to nod...@googlegroups.com
> To unsubscribe from this group, send email to
> nodejs+unsubscribe@googlegroups.com
> Another option might be to let authors add an "enginesStrict" booleanHow does that strike you? Then it would be a warning, unless the
> flag in their package.json which would say, "No, seriously, this WILL
> NOT WORK except with the specified versions, so don't even try to use
> it."
author says, "No, srsly, I really mean it," in which case, it'd use
the current behavior. (And please don't do that for 0.8.x, because
it's probably just going to be annoying in a few months, like how
"0.6.x" is now.)
Matt, Ian,
It was once said, in the Long Ago Days of the Time Before,
> Another option might be to let authors add an "enginesStrict" boolean
> flag in their package.json which would say, "No, seriously, this WILL
> NOT WORK except with the specified versions, so don't even try to use
> it."
How does that strike you? Then it would be a warning, unless the
author says, "No, srsly, I really mean it," in which case, it'd use
the current behavior. (And please don't do that for 0.8.x, because
it's probably just going to be annoying in a few months, like how
"0.6.x" is now.)
> What CPAN does is always get the most recent, and if it fails becauseThat's basically what I'm proposing as the default. Install the
> of a reason like this (in Perl terms, the Makefile.PL has a "use <version>"
> tag), it just fails. To get an older version you have to ask for that version
> specifically. Would this not work here?
latest available, and if it breaks, oh well. The "engines"
restriction is thus an advisory warning.
npm != CPAN. In many ways, CPAN is better (mostly owing to many more
years), but in others, npm is better (mostly owing to being invented
in an era when CPAN already existed.) "Just try the latest and then
fail" is not exactly the npm way, and making npm behave exactly like
CPAN would be a bit silly.
> if (node version > package's "engines" tag), then don't track back to look for older versions.The problem is that it's a range, not a single value.
> So what happens thenToday, if you didn't remove the older version, then they'll get the
> when someone on 0.6.15 tried to install my library. Will it throw an error,
> or will it load the previously published version that had the >=0.6.0
> constraint and the nasty security hole?
old version of vfs-local. With this change, they'll get the new
version of vfs-local, and see a warning that their node version needs
to be upgraded.
If you did unpublish, then before this change, they'd get an ENOTSUP
(and probably run with --force, and get no warning or error.) With
the change, they'd get the warning.
Seems to me like actually a slightly better outcome in both cases.
What you need to do in that case is with the new behavior is:
1. Remove the old copies of the module.
2. add to package.json: "engines": {"node": ">=0.6.16"}, "engineStrict": true
What you had to do with the prior behavior was:
1. Remove old copies of the module.
2. add to package.json: "engines": {"node": ">=0.6.16"}
> Why is trying to go back in history to find a version that matches soIt's important because there is a much more common case than the one
> important?
you're describing: You write version 1.0 with node 0.6 in mind. Make
changes, updates, yadda yadda. Then 0.8 comes out, and you add
support for that. You release 2.0 with the engines setting on it.
For a while, you may even be releasing updates to both the 1.0 and the
2.0 versions! So, you'd prefer to have 0.6.x users get the 1.0.latest
and 0.8.x users get the 2.0.latest.
If actual breakage is the concern then maybe things need to be broken when it seems plausible, just long enough to determine whether to reverse the break or not. For certain, when it IS broken, the feedback will be immediate and sincere.
If you publish your module with 0.6.x you tacitly engage yourself to maintaining it and publishing a newer version shortly after 0.8 is released, don't you?
The rule should be to publish with >= x.y.z unless you know that some upcoming or already released change will break your code.
If you don't know what the future will be, you should bet on the fact that things won't break. Does not mean that they won't ever break but you'll take action when they do. Be optimistic!.
So I don't see anything wrong with the "engines" feature itself. The problem is that it has been misused.