search

mozilla / apk-factory-service

Web service which converts Open Web Apps into native Android apps
42 stars 18 forks source link

Why were node_modules committed? #7

Closed nickdesaulniers closed 10 years ago

nickdesaulniers commented 10 years ago

Instead of committing the node_modules/ dir, you should add your dependencies to package.json and require devs to run npm install after cloning.

ozten commented 10 years ago

npm is insecure for production deployments.

For Persona and other Identity NodeJS projects, we use lockdown, but I'd rather not use this as it still has a lot of rough edges.

Another option is to commit dependencies to git.

Another option is to have a git-submodule or external git repo where we commit node_modules.

We're totally open to a better solution, but the current way is a nice, simple way to handle this. It is also how we solve the same security issue for Python involving pip modules for many of our webapp and web services.

nickdesaulniers commented 10 years ago

Interesting. Thanks for the insights, @ozten !