Skip to content

Instantly share code, notes, and snippets.

@cometkim

cometkim/node-pm-globals.md

Last active July 30, 2024 13:59
Show Gist options
  • Save cometkim/eb2842d67b40e583e4886e9b897a6af0 to your computer and use it in GitHub Desktop.
Save cometkim/eb2842d67b40e583e4886e9b897a6af0 to your computer and use it in GitHub Desktop.
Download ZIP
How package managers dealing with binaries from transitive dependencies
Raw
node-pm-globals.md 
$pm add vite

# should be success
$pm run vite --version

# shoud be fail
$pm run esbuild --version

vite has 4 transitive binaries vite, rollup, esbuild and nanoid.

A user expects only vite available when installing vite using package manager. (especially when installing for global $PATH) However, its behavior is vary

  • NPM downloads all of them into node_modules/.bin and link all of them to project / $PATH
  • Yarn downloads all of them into node_modules/.bin but link only vite in the project / $PATH
  • pnpm downloads only vite into node_modules/bin, and link only vite in the project / $PATH
  • Bun downloads all of them into node_moudles/.bin, and link all of them to proejct / $PATH

Due to its behavior, NPM and Bun is not good for managing global installations. It could be a security risk (supply chain attacks) and it can bloats the completions on shell environment.

@rafaeleyng
Copy link

Sorry for the basic question, but can you clarify what you mean about Bun not being good for managing global installations?

Do you mean I shouldn't do asdf global bun 1.1.11, for instance, and only do asdf local bun 1.1.11? Or is there something more to it?

@cometkim
Copy link
Author

cometkim commented Jun 4, 2024

@rafaeleyng This is not a note related to asdf. This means when you run bun add -g some-cli you may accidentally installing other transitive binaries too.

@rafaeleyng
Copy link

Thanks! 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment