logoalt Hacker News

jamesromtoday at 7:17 AM2 repliesview on HN

This is the opposite of "do one thing and do it well" unix philosophy.

You don't need your package manager to invoke your hook. You need _your_ tooling to invoke your hook.

./safely-bump-deps.sh && npm install

Want it global? Use a bash alias.

Replies

captn3m0today at 7:34 AM

Aliases and pre-hooks are nowhere near the guarantees you want, that’s what I am arguing - not everything is invoked from a blessed shell. Safely-bump-does.sh is also impossibly hard to write because you are replicating _all of the work NPM does in transitive dependency resolution_. Unless you are re-generating the lock file from scratch - it isn’t safe. Just updating package.json isn’t sufficient for eg.

show 1 reply
staticshocktoday at 7:20 AM

Arguably, npm does one thing, but it does it poorly.