-
-
Notifications
You must be signed in to change notification settings - Fork 8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why the move away from npm registry? #2667
Comments
The package on the npm registry is surprisingly popular (one of the top-500 by dependents). npm invalidated the old publish token and is forcing 2FA on the publishing account. Due to ongoing legal matters between SheetJS LLC and npm, Inc. (which will not be discussed here), it did not make sense to continue using the public npm registry for distribution. With GitHub (the owner of NPM) sunsetting the git.io domain with only 4 days notice, we are reminded of the ephemerality of the Internet and the inherent risks of relying on platforms. |
Top 500 NPM package list, 1.26 million downloads a week, over 3000 dependent packages and not even a mention in the README regarding the fact ongoing development for this package won't exist any longer in the single largest JS library platform on the planet (after 8 years). 🤔 |
Mandatory 2FA should be a noop, as a responsible maintainer would already have it enabled. npm publish tokens remain exempt from 2FA, so i'm not clear on why that would be an obstacle. |
Yeah, 2FA should be a no brainer. An tokens are indeed except if specified. |
This is bizarre |
Full disclosure, I happened upon this issue by chance and am not a SheetJS user, but this is... really strange.
What possible justification could you have for taking issue with npm's 2FA requirement for maintainers of popular packages?
I don't see how this is a reason for silently dropping support for npm. If anything, from the perspective of your users it's an argument for the opposite, because npm is statistically way more likely to exist 5 years from now than your personal CDN. Maintainers of OSS projects don't owe people anything, of course, but all I can say is you shouldn't be surprised when people (including your paying customers) look at this whole thing and decide to either fork the project or switch to a competing library not maintained by someone who makes decisions like this. |
I'm imagining a conversation somewhere along the lines of:
Hey, I just got an email saying that our MPM account didn't have 2FA enabled. I think that's like really important, right? Why didn't you have it enabled?
Really sir? That is uh very concerning. They must of uh like um deleted our settings. Deleted our settings?! That's outrageous! They can't do that! Those are OUR settings. You know what, just go ahead and only post it on our site from now on. Post it on our site? Like a CDN? I mean it was probably just a glitch, I'll uh I'll just reset the security settings. Problem solved. No. I doubt these MPM guys will be around a lot longer anyways. You will post it on our site only from now on, am I understood? uh.. yes... Good work, I'm going to go call the lawyers about this.
|
JavaScript hippies back at it again with the tri weekly cdn outages |
Not sure why one would want to use the sheetjs CDN for npm installs instead of just doing something like this(github based install):
|
npm package xlsx has 1.4 million weekly (!) downloads of outdated version 0.18.5. @SheetJSDev It would be great if you could add a notice to the npm readme. A warning during "npm install xlsx" would also be great, mentioning alternative install methods. |
Hilarious. |
First, thanks for your amazing work on this library. Because of security concerns, I prefer relying on npm up-to-date package with proper version management, immutable release binaries and If the issue is 2FA related, other popular packages solved the issue. Without you explaining the other reasons, it is hard to understand the withdraw. Have a nice day. |
This has got to be the most bizarre OSS move I've seen since 2016 when an angry developer unpublished all his 250 npm packages and broke builds all over the planet.
Whatever your beef with npm is, please work it out and move on. Don't let it ruin what is otherwise an exceptionally well-designed and well-maintained project. |
Just wanted to second the motion for a big update to the README and a warning when installing from the public registry. This is very abnormal and I (like many others, most likely) did not realize I was running on an old version of this package. |
Came across this due to this recently-announced vulnerability (our build pipeline is configured to fail if we have deps containing vulns of a certain level): GHSA-4r6h-8v6p-xvw6 XLSX CE is a great resource, and free, and indeed it is the maintainer's right to host versions wherever they choose. UPDATE 14/06/23: we ended up switching to https://www.npmjs.com/package/export-from-json - a much smaller feature set than sheetjs, but does just what we need, small and no deps. |
Why the move away from GitHub? |
@marracuene how flexible is it? |
@YogliB I suspect it would not handle your use case. In our use case we already have, in-memory, an array of Objects that represent the information to be exported via Excel. All the work to prepare this information has already been done. The only additional work done at time of export (and which the new package allows us to do), is custom-formatting on specific fields. |
I know, I know, But damn, GPT and any search engine out there straight up recommending to just After finally finding relevant docs (you really have to search for it), reading through a bunch of almost irrelevant demos, still couldn't understand why the npm package hasn't been updated in over a year. Is it so good that it doesn't have bugs or improvements to make? Nah, I get it now. This was a fantastic opportunity to switch from work to my 8pm routine of dinner and watching comedy. |
Hi, it's been a year since you wrote that. Please consider updating your npm entry to reflect the vulnerability status of the last posted version and to point people in the right direction? I think it would be the right thing to do for the community. Thanks! |
Hey, folks! I made a little tool that allows you to continue using xlsx in your projects. I'm writing here as well, so that more people interested in solving the problem will get notified 🙂 |
Maybe this package should be marked as deprecated on NPM? 🤔 |
I suggested that.
Do the responsible thing, SheetJS!
El El lun, oct. 2, 2023 a la(s) 5:44 a.m., Vincent Giersch <
***@***.***> escribió:
… Maybe this package should be marked as deprecated on NPM? 🤔
That doesn't make sense to keep it available like that with an outdated
and with vulnerabilities in it?
—
Reply to this email directly, view it on GitHub
<#2667 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGQZM2FU47CELSE7LJI2UTX5KLJNANCNFSM5UNOGEVA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Pretty please with sugar on top, please release on NPM, You'll fix millions of problems. You remember that song from Mariah Carey? "And then a hero comes along, with the strength to carry on". That will be playing in the background as you do it. |
oof. |
Is sheetjs sold or will it be? |
Since the CE edition is licensed under Apache which allows republishing it with proper attribution I have made a small automated script that periodically checks the CDN and republishes the latest version to NPM if needed. The NPM package can be found here https://www.npmjs.com/package/xlsx-republish. |
What a great public contribution. Well done. We actually moved a way from sheetjs a while ago due to this whole weird soap opera, but you will surely save lots of effort for lots of peeps. |
looks like there's two republished npm packages:
|
They couldn't figure out how to charge money for the freemium version with NPM. Hard pass. |
So you are saying that the undisclosed legal challenges with NPM that have been mentioned here, have to do with trying to charge for something that is published? That really puts a very different spin on things. |
@srl295 My only objective evidence is that they are trying to sell a paid version on their website. They describe this as the "community edition," an old-timey euphemism popular in the maven world for a particular type of company trying to monetize an open-source project. NPM is not friendly to selling packages, which usually requires a private repository or alternative distribution method. Leaving an ancient version on NPM makes the open-source version worse. This forces developers to the SheetJS website to see the sales pitch and normalizes using a silly private repository for the paid version because the free version already requires it. In either case, despite the impassioned pleas of the maintainer, they look like clowns and nobody should use this project. |
As I noted above, the responsible thing to do would be to mark the versions that are in NPM as deprecated, with a warning. |
@srl295 Strongly agree! I wasted way too much time on this! They probably lost their MFA token though 😆 |
I noticed from this ed18acd that you moved away from publishing to the npm registry and recommend people download using tarballs on the CDN. Why did you move away? The npm registry is an extremely common way to download packages.
The text was updated successfully, but these errors were encountered: