[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [rdo-list] TripleO UI Packaging Strategy



On 21/07/16 16:23, Honza Pokorny wrote:
> There still seems to be some confusion about what we're saying, so let
> me attempt to summarize:
> 
> 1. bundling of npm dependencies (sources) undesirable but temporarily tolerated

Taking the conversation from IRC here:

I don't think we got an answer on this yet.

If you're pulling all dependencies in, and compile a package then,
you're basically creating something comparable to statically linked
binaries: If a library has a security issue, you're going to rebuild the
whole thing.

You mentioned somewhere else, dependencies are pinned: is that true for
dependencies of dependencies as well? Or would I get a different
tarball, when collecting all dependencies (and deps of deps) in a few weeks?


> node_modules/ directory --- npm downloads sources along with artifacts
> (e.g. if the package is written in coffee-script, it will contain both
> the coffee-script sources and the compiled js).  And, we plan to use npm
> to also build the minified code (e.g. "npm run build").


-- 
Matthias Runge <mrunge redhat com>

Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham,
                    Michael O'Neill, Eric Shander


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]