Most active commenters

    ←back to thread

    Blizzard Suspends Professional Hearthstone Player for Hong Kong Comments

    (playhearthstone.com)
    2525 points hownottowrite | 17 comments | 08 Oct 19 09:23 UTC | HN request time: 0.002s | source | bottom
    Show context
    Aozi ◴[08 Oct 19 10:29 UTC] No.21190660[source]
    What we need is a JS developer to take down an important package from NPM in protest, thus breaking the Internet again.
    replies(2): >>21190743 #>>21194973 #
    1. byte1918 ◴[08 Oct 19 10:41 UTC] No.21190743[source]
    The NPM fiasco should no longer be possible

    If you want to unpublish a package after 72 hours have passed, contact npm Support. For more information about why we don’t allow users to unpublish packages after 72 hours, see our unpublish policy.

    https://docs.npmjs.com/unpublishing-packages-from-the-regist...

    replies(4): >>21190798 #>>21190801 #>>21190806 #>>21191523 #
    2. celticninja ◴[08 Oct 19 10:48 UTC] No.21190798[source]
    Could you just publish garbage instead?
    replies(2): >>21190867 #>>21190869 #
    3. leppr ◴[08 Oct 19 10:49 UTC] No.21190801[source]
    It was never possible without "admin" intervention. That whole inccident was NPM's sole responsibility.
    replies(1): >>21192982 #
    4. Crinus ◴[08 Oct 19 10:50 UTC] No.21190806[source]
    Not sure how npm works in detail, doesn't it pull directly from devs' repositories? In that case can't the devs just publish an update that breaks everything?
    replies(2): >>21190848 #>>21190870 #
    5. julianwachholz ◴[08 Oct 19 10:57 UTC] No.21190848[source]
    This wouldn't be as big of a problem with version pinning.
    6. yoz-y ◴[08 Oct 19 10:59 UTC] No.21190867[source]
    You could but everybody uses version pinning in production, right?
    replies(2): >>21190928 #>>21191443 #
    7. jpangs88 ◴[08 Oct 19 11:00 UTC] No.21190869[source]
    Versioned garbage, but yeah you could. It would just make a new version not work which isn't as harmful as taking away a package.
    8. parsimo2010 ◴[08 Oct 19 11:00 UTC] No.21190870[source]
    npm allows for installation of specific versions. So even if a dev publishes a new version that breaks you can select a previous version known to work. A good dev shouldn’t be updating willy-nilly to the latest version just because it’s the latest. They ought to spec a particular version and update after testing.
    replies(1): >>21191856 #
    9. emsy ◴[08 Oct 19 11:11 UTC] No.21190928{3}[source]
    People who are serious about reproducible builds host their own repos. Most people probably don’t know the difference between ^1.0.1 and ~1.0.1
    replies(1): >>21191115 #
    10. bakuninsbart ◴[08 Oct 19 11:40 UTC] No.21191115{4}[source]
    Thanks for making me look that up!
    11. delfinom ◴[08 Oct 19 12:25 UTC] No.21191443{3}[source]
    If only npm's version pinning actually version pinned without idiotic subrules. package-lock.json is just one massive lie.
    replies(1): >>21192691 #
    12. precisioncoder ◴[08 Oct 19 12:34 UTC] No.21191523[source]
    Doesn't the code still technically belong to you? Can't you submit a takedown request?
    replies(1): >>21191994 #
    13. monocasa ◴[08 Oct 19 13:11 UTC] No.21191856{3}[source]
    Doesn't npm allow a dev to replace or redact already released versions?
    14. jrockway ◴[08 Oct 19 13:24 UTC] No.21191994[source]
    It belongs to you but you distributed it with a license that gives away some of your rights.
    15. minitech ◴[08 Oct 19 14:29 UTC] No.21192691{4}[source]
    What do you mean?
    16. minitech ◴[08 Oct 19 14:56 UTC] No.21192982[source]
    That’s… plainly wrong. `npm unpublish --force your-package` would really just unpublish your package.
    replies(1): >>21198323 #
    17. leppr ◴[08 Oct 19 23:16 UTC] No.21198323{3}[source]
    Okay that's embarrassing thanks. Hard to believe it took so long before being the left-pad debacle happened.