Skip to content

Instantly share code, notes, and snippets.

@cometkim

cometkim/node-pm-globals.md

Last active May 1, 2024 18:11
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save cometkim/eb2842d67b40e583e4886e9b897a6af0 to your computer and use it in GitHub Desktop.
Save cometkim/eb2842d67b40e583e4886e9b897a6af0 to your computer and use it in GitHub Desktop.
Download ZIP
How package managers dealing with binaries from transitive dependencies
Raw
node-pm-globals.md 
$pm add vite

# should be success
$pm run vite --version

# shoud be fail
$pm run esbuild --version

vite has 4 transitive binaries vite, rollup, esbuild and nanoid.

A user expects only vite available when installing vite using package manager. (especially when installing for global $PATH) However, its behavior is vary

  • NPM downloads all of them into node_modules/.bin and link all of them to project / $PATH
  • Yarn downloads all of them into node_modules/.bin but link only vite in the project / $PATH
  • pnpm downloads only vite into node_modules/bin, and link only vite in the project / $PATH
  • Bun downloads all of them into node_moudles/.bin, and link all of them to proejct / $PATH

Due to its behavior, NPM and Bun is not good for managing global installations. It could be a security risk (supply chain attacks) and it can bloats the completions on shell environment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment