search

BlueWallet / rn-electrum-client

Electrum Client for React Native
https://bluewallet.io
MIT License
21 stars 28 forks source link

Upload package to NPM / Yarn Registries #7

Open emanuelb opened 3 years ago

emanuelb commented 3 years ago

Currently using the package require using this repo via:

    "electrum-client": "https://github.com/BlueWallet/rn-electrum-client",

please upload it to NPM / Yarn Registries: https://yarnpkg.com/package/rn-electrum-client https://www.npmjs.com/package/rn-electrum-client

So it can be used instead with:

    "electrum-client": "rn-electrum-client",
Overtorment commented 3 years ago

what's the point? except putting a different string in your package.json?

emanuelb commented 3 years ago

what's the point? except putting a different string in your package.json?

There are several benefits to using package instead of git repo (probably more exists as well):

  1. The git repo can be removed/relocated/changed in a way that will break the build, such as the commit used for locking no longer exists (full history rewrite happen) or the repo got deleted, etc... js packages in repos have safe-guard against such scenario (see the left-pad event and the changes that was applied to js packaging ecosystem afterwards)
  2. The packaging can result in smaller download (less files), also while js ecosystem not there yet, with widespread reproducible-builds matching git repo content to package content will bring more security to the packaging/build process.
  3. it doesn't require installing additional git package, thus less deps needed in release compilation.
  4. using tools that check package locking files for white-list entries make it's easier to verify if only 1 allowed domain is used (like npm or yarn registry) see: https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/ and the tool https://github.com/lirantal/lockfile-lint which can be run by npx lockfile-lint --path yarn.lock --allowed-hosts yarn --validate-https to ensure only yarn registry is used.
  5. packages are more supported with many tools (like proxy caching proxies, tools that check for newer/outdated/vulnerable versions, etc...)

you can also see the issue: https://github.com/bitcoin-dot-org/BitcoinWalletMobile/issues/5 which is about this issue and why it's was opened (other project which I reviewd the build-process for use this repo)