rn-electrum-client icon indicating copy to clipboard operation
rn-electrum-client copied to clipboard
verified publisher icon BlueWallet

Upload package to NPM / Yarn Registries

Open emanuelb opened this issue 4 years ago • 2 comments

Currently using the package require using this repo via:

    "electrum-client": "https://github.com/BlueWallet/rn-electrum-client",

please upload it to NPM / Yarn Registries: https://yarnpkg.com/package/rn-electrum-client https://www.npmjs.com/package/rn-electrum-client

So it can be used instead with:

    "electrum-client": "rn-electrum-client",

emanuelb avatar Apr 19 '21 20:04 emanuelb

what's the point? except putting a different string in your package.json?

Overtorment avatar Apr 20 '21 15:04 Overtorment

what's the point? except putting a different string in your package.json?

There are several benefits to using package instead of git repo (probably more exists as well):

  1. The git repo can be removed/relocated/changed in a way that will break the build, such as the commit used for locking no longer exists (full history rewrite happen) or the repo got deleted, etc... js packages in repos have safe-guard against such scenario (see the left-pad event and the changes that was applied to js packaging ecosystem afterwards)
  2. The packaging can result in smaller download (less files), also while js ecosystem not there yet, with widespread reproducible-builds matching git repo content to package content will bring more security to the packaging/build process.
  3. it doesn't require installing additional git package, thus less deps needed in release compilation.
  4. using tools that check package locking files for white-list entries make it's easier to verify if only 1 allowed domain is used (like npm or yarn registry) see: https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/ and the tool https://github.com/lirantal/lockfile-lint which can be run by npx lockfile-lint --path yarn.lock --allowed-hosts yarn --validate-https to ensure only yarn registry is used.
  5. packages are more supported with many tools (like proxy caching proxies, tools that check for newer/outdated/vulnerable versions, etc...)

you can also see the issue: https://github.com/bitcoin-dot-org/BitcoinWalletMobile/issues/5 which is about this issue and why it's was opened (other project which I reviewd the build-process for use this repo)

emanuelb avatar Apr 20 '21 15:04 emanuelb