KEMBAR78
Dynamic default versions · Issue #93 · nodejs/corepack · GitHub
Skip to content

Dynamic default versions #93

@mcollina

Description

@mcollina

One of the main reason we adopted corepack was to avoid work in nodejs/node to support multiple package managers. There is a measurable amount of traffic on our H1 due to vulnerabilities in the npm dependencies, and we are struggling to keep npm up to date. Unfortunately corepack increases this load and it makes it even less apparent and hard to track as the vulnerabilities would not be apparent to the users.

I propose that the config file include only the major version of each package manager. This will ensure that for a specific version of Node.js there won't be any breaking change (I consider the drop of a Node.js version a breaking change).
Then we will update the major version of each package manager whenever we ship a new major release of Node.js.

I would also recommend that the config file is not bundled in but loaded at runtime. This will simplify maintenance on the Node.js side so we could just update the config file without updating corepack (and viceversa). This also enables mulitple Node.js lines to have the same version of corepack but different defaults.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions