Distributive-Network
Write our own minimum copy of npm in Python to remove dependency on Node.js during installation
There must be a simpler way to handle the error condition of npm not existing than to write and ship a replacement package manager. How about sys.exit('npm not found - please install and pip install pythonmonkey again')
If we were to ship this, it would need to
- resolve packages in a way that conflicting version numbers in dependencies work properly by virtue of node_modules. (i.e. naive path flattening is not good enough)
- fire npm hooks correctly
- support
npm audit - interoperate correctly with Tidelift
- support
pminit npm i <user package>after install - resolve the latest package names that match
package.json, notpackage-lock.json. - never, ever, have a versioning bug that can miss an update and expose Distributive to legal liability problems from a third party
That last two are why I don't want to ship packages with the wheel. Besides shipping cool software, I need to protect the company from ever being associated with a security problem, eg. getting mentioned in a CVE vulnerability report. This could seriously harm our ability to carry out our core business in the future.
Some day, I would like to have enough node-compatibility capability to actually run npm via pythonmonkey. We could maybe use pmpm to install npm as a special bootstrap case, since it has no dependencies. But we are quite a ways off from this, and we really need to focus on getting dcp-client running in web-compatibility mode before that. Is there perhaps a way we can pass a command-line switch into pip that changes the package manager?
This MR is set to draft and will not be revisited until later - see comment here: https://github.com/Distributive-Network/PythonMonkey/pull/129#issuecomment-1641935509
