Re: [rdo-list] TripleO UI Packaging Strategy
On 21/07/16 16:23, Honza Pokorny wrote:
There still seems to be some confusion about what we're saying,
so let
me attempt to summarize:
1. bundling of npm dependencies (sources) undesirable but temporarily tolerated
Taking the conversation from IRC here:
I don't think we got an answer on this yet.
If you're pulling all dependencies in, and compile a package then,
you're basically creating something comparable to statically linked
binaries: If a library has a security issue, you're going to rebuild the
whole thing.
You mentioned somewhere else, dependencies are pinned: is that true for
dependencies of dependencies as well? Or would I get a different
tarball, when collecting all dependencies (and deps of deps) in a few weeks?
node_modules/ directory --- npm downloads sources along with
artifacts
(e.g. if the package is written in coffee-script, it will contain both
the coffee-script sources and the compiled js). And, we plan to use npm
to also build the minified code (e.g. "npm run build").
--
Matthias Runge <mrunge(a)redhat.com>
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham,
Michael O'Neill, Eric Shander