crom - npm Package Compare versions

Comparing version 0.0.4 to 0.1.0

package.json

 {
   "name": "crom",
-  "version": "0.0.4",
+  "version": "0.1.0",
   "description": "A package manager without a package registry.",
-  "keywords": [
-    "package",
-    "install"
-  ],
-  "homepage": "https://github.com/mbostock/crom",
   "license": "BSD-3-Clause",
@@ -14,21 +9,3 @@ "author": {
     "url": "http://bost.ocks.org/mike"
-  },
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/mbostock/crom.git"
-  },
-  "main": "index.js",
-  "bin": {
-    "crom": "./bin/crom"
-  },
-  "dependencies": {
-    "d3-array": "0.7",
-    "d3-format": "0.5",
-    "d3-queue": "1.2",
-    "minimist": "1.2",
-    "request": "2.67",
-    "rimraf": "2.5",
-    "semver": "5.1",
-    "unzip": "0.1"
   }
 }

README.md

 # Crom
 
-Crom is an experimental, proof-of-concept package manager that avoids a centralized registry. Like other package managers, Crom allows you to install packages conveniently by name and (optional) version range:
-
-```
-crom install d3/d3-voronoi@0.2
-```
-
-Yet upon installation, Crom expands the name to an explicit definition which is stored in the `crom.json` file:
-
-```json
-{
-  "dependencies": [
-    {
-      "name": "d3-voronoi",
-      "owner": "d3",
-      "version": "0.2.1",
-      "range": "0.2",
-      "url": "https://github.com/d3/d3-voronoi",
-      "releaseUrl": "https://github.com/d3/d3-voronoi/releases/tag/v0.2.1",
-      "sha": "1eb846e5b81ea7e25dab3184fa777a8db325d01146cdae02aa589b2349d162b8"
-    }
-  ]
-}
-```
-
-Thus, Crom allows your users to install your package and its dependencies *without a registry*: dependencies are self-describing URLs rather than names. The adoption of URLs brings us out of the AOL keyword era and onto the modern internet. Package managers should be decoupled from package registries because **authors should be free to publish their software on any platform**, and **users should be free to install software from any platform**.
-
-### Version Discovery
-
-Crom refers to packages by URLs, but it still provides semantic versioning! By querying the package URL, Crom can discover the available releases and chose the release that best satisfies your given version range. Thus, Crom will be able to upgrade your installed dependencies in the future by comparing them to the latest releases.
-
-The current implementation only knows how to talk to GitHub’s [releases API](https://developer.github.com/v3/repos/releases/#list-releases-for-a-repository), but it should be straightforward to design a simpler interchange format for release descriptions to be published anywhere on the internet.
-
-### Package Discovery
-
-When you ask Crom to install a package by name, it searches an extensible list of registries. If only one match is found, it is installed; otherwise, a list of results is presented, and you must choose which of the packages you’d like to install. For example:
-
-```
-crom install d3-format
-```
-
-This currently displays the following error:
-
-```
-? https://github.com/d3/d3-format (★98)
-? https://github.com/jfsiii/d3-format (★0)
-error: multiple “d3-format” modules found
-```
-
-To disambiguate slightly:
-
-```
-crom install d3/d3-format
-```
-
-Or to disambiguate fully:
-
-```
-crom install https://github.com/d3/d3-format@*
-```
-
-The current implementation is limited to GitHub’s [repository search API](https://developer.github.com/v3/search/#search-repositories), but again, it should be straightforward to extend this to other registries, such as [npm](https://npmjs.org).
-
-While other package managers also provide similar search functionality, a critical difference is that **Crom saves the resulting match as a URL** in the `crom.json` metadata; thus, the system is decentralized but installations are still stable and deterministic for your users.
-
-### Installing Packages
-
-This is highly-experimental, but if you’d like to try it out, install Crom via npm:
-
-```
-npm install -g crom
-```
-
-(Yes, this step is slightly ironic. But it’s also practical!)
-
-To install a package by name, say [d3-format](https://github.com/d3/d3-format):
-
-```
-crom install d3-format
-```
-
-If there are multiple matches, Crom displays them and aborts, requiring you to specify exactly which one you want to install. For example, you can specify an owner name:
-
-```
-crom install d3/d3-format
-```
-
-Or you can specify a full URL:
-
-```
-crom install https://github.com/d3/d3-format
-```
-
-Once Crom finds a matching repository, it looks for the latest release that satisfies the semantic version range you specify. (If you don’t specify a version, it uses the `*` range.) For example, to install d3-format version 0.5, which currently maps to the tag [v0.5.0](https://github.com/d3/d3-format/releases/tag/v0.5.0):
-
-```
-crom install d3/d3-format@0.5
-```
-
-If Crom finds a satisfying release, it doesn’t clone the Git repository; it looks for a ZIP file attached to your release and downloads that; if there’s no attached ZIP file, it downloads the source ZIP instead. So, you can put whatever you want inside that ZIP file—namely, generated files—and those will be installed. (Note that the content resolution logic is extensible and defined by the host registry.)
-
-Crom extracts the ZIP file into the `crom_modules` folder, creating a subfolder for each dependency using content-addressable storage. The above command results in the following file structure:
-
-```
-crom_modules
-└─┬ c7c1fee171767e72c496cd6ce88ab203b7e740c6aeb6eb5add59952337a6ffc8
-  ├── LICENSE
-  ├── README.md
-  ├── d3-format.js
-  └── d3-format.min.js
-```
-
-This means you can install multiple versions of a package or multiple packages with the same name. And because the `crom.json` file stores the associated metadata, you’ll know when anything changes.
-
-### Loading Packages
-
-So far, I’ve just implemented a substitute for `require` in Node. For example:
-
-```js
-var crom = require("crom"),
-    format = crom.require("d3-format");
-```
-
-Since there is only one dependency named d3-format, this would succeed, loading c7c1fee. But if you had multiple packages with the same name, you’d get an error unless you specified something more explicit, such as one of these:
-
-```js
-var format = crom.require("d3-format@0.2"); // a version
-var format = crom.require("d3/d3-format"); // a fork
-var format = crom.require("https://github.com/d3/d3-format"); // a full url
-```
-
-Thus, Crom retains the convenience of working with short names. Crom guarantees that the names you prefer locally are explicitly defined so they have the same definition globally, all without a central registry.
+This experiment has been concluded.

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Empty package

Supply chain risk

Package does not contain any code. It may be removed, is name squatting, or the result of a faulty package publish.

Found 1 instance in 1 package

Major refactor

Supply chain risk

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Found 1 instance in 1 package

No repository

Supply chain risk

Package does not have a linked source code repository. Without this field, a package will have no reference to the location of the source code use to generate the package.

Found 1 instance in 1 package

No website

Quality

Package does not have a website.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Dynamic require

Supply chain risk

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Found 1 instance in 1 package

Filesystem access

Supply chain risk

Accesses the file system, and could potentially read sensitive data.

Found 1 instance in 1 package

Improved metrics

Dependency count

0

decreased by-100%

Number of low supply chain risk alerts

1

decreased by-75%

Worsened metrics

Total package byte prevSize

1769

decreased by-93.39%

Number of package files

4

decreased by-69.23%

Lines of code

0

decreased by-100%

Number of lines in readme file

4

decreased by-97.01%

Number of medium supply chain risk alerts

2

increased byInfinity%

Dependency changes

• - Removedd3-array@0.7

• - Removedd3-format@0.5

• - Removedd3-queue@1.2

• - Removedminimist@1.2

• - Removedrequest@2.67

• - Removedrimraf@2.5

• - Removedsemver@5.1

• - Removedunzip@0.1

• - Removedansi-regex@2.1.1(transitive)

• - Removedansi-styles@2.2.1(transitive)

• - Removedasn1@0.2.6(transitive)

• - Removedassert-plus@0.2.01.0.0(transitive)

• - Removedasync@2.6.4(transitive)

• - Removedaws-sign2@0.6.0(transitive)

• - Removedbalanced-match@1.0.2(transitive)

• - Removedbcrypt-pbkdf@1.0.2(transitive)

• - Removedbinary@0.3.0(transitive)

• - Removedbl@1.0.3(transitive)

• - Removedboom@2.10.1(transitive)

• - Removedbrace-expansion@1.1.11(transitive)

• - Removedbuffers@0.1.1(transitive)

• - Removedcaseless@0.11.0(transitive)

• - Removedchainsaw@0.1.0(transitive)

• - Removedchalk@1.1.3(transitive)

• - Removedcombined-stream@1.0.8(transitive)

• - Removedcommander@2.20.3(transitive)

• - Removedconcat-map@0.0.1(transitive)

• - Removedcore-util-is@1.0.21.0.3(transitive)

• - Removedcryptiles@2.0.5(transitive)

• - Removedd3-array@0.7.1(transitive)

• - Removedd3-format@0.5.1(transitive)

• - Removedd3-queue@1.2.3(transitive)

• - Removeddashdash@1.14.1(transitive)

• - Removeddelayed-stream@1.0.0(transitive)

• - Removedecc-jsbn@0.1.2(transitive)

• - Removedescape-string-regexp@1.0.5(transitive)

• - Removedextend@3.0.2(transitive)

• - Removedextsprintf@1.3.0(transitive)

• - Removedforever-agent@0.6.1(transitive)

• - Removedform-data@1.0.1(transitive)

• - Removedfs.realpath@1.0.0(transitive)

• - Removedfstream@0.1.31(transitive)

• - Removedgenerate-function@2.3.1(transitive)

• - Removedgenerate-object-property@1.2.0(transitive)

• - Removedgetpass@0.1.7(transitive)

• - Removedglob@7.2.3(transitive)

• - Removedgraceful-fs@3.0.12(transitive)

• - Removedhar-validator@2.0.6(transitive)

• - Removedhas-ansi@2.0.0(transitive)

• - Removedhawk@3.1.3(transitive)

• - Removedhoek@2.16.3(transitive)

• - Removedhttp-signature@1.1.1(transitive)

• - Removedinflight@1.0.6(transitive)

• - Removedinherits@2.0.4(transitive)

• - Removedis-my-ip-valid@1.0.1(transitive)

• - Removedis-my-json-valid@2.20.6(transitive)

• - Removedis-property@1.0.2(transitive)

• - Removedis-typedarray@1.0.0(transitive)

• - Removedisarray@0.0.11.0.0(transitive)

• - Removedisstream@0.1.2(transitive)

• - Removedjsbn@0.1.1(transitive)

• - Removedjson-schema@0.4.0(transitive)

• - Removedjson-stringify-safe@5.0.1(transitive)

• - Removedjsonpointer@5.0.1(transitive)

• - Removedjsprim@1.4.2(transitive)

• - Removedlodash@4.17.21(transitive)

• - Removedmatch-stream@0.0.2(transitive)

• - Removedmime-db@1.52.0(transitive)

• - Removedmime-types@2.1.35(transitive)

• - Removedminimatch@3.1.2(transitive)

• - Removedminimist@1.2.8(transitive)

• - Removedmkdirp@0.5.6(transitive)

• - Removednatives@1.1.6(transitive)

• - Removednode-uuid@1.4.8(transitive)

• - Removedoauth-sign@0.8.2(transitive)

• - Removedonce@1.4.0(transitive)

• - Removedover@0.0.5(transitive)

• - Removedpath-is-absolute@1.0.1(transitive)

• - Removedpinkie@2.0.4(transitive)

• - Removedpinkie-promise@2.0.1(transitive)

• - Removedprocess-nextick-args@1.0.7(transitive)

• - Removedpullstream@0.4.1(transitive)

• - Removedqs@5.2.1(transitive)

• - Removedreadable-stream@1.0.342.0.6(transitive)

• - Removedrequest@2.67.0(transitive)

• - Removedrimraf@2.5.4(transitive)

• - Removedsafer-buffer@2.1.2(transitive)

• - Removedsemver@5.1.1(transitive)

• - Removedsetimmediate@1.0.5(transitive)

• - Removedslice-stream@1.0.0(transitive)

• - Removedsntp@1.0.9(transitive)

• - Removedsshpk@1.18.0(transitive)

• - Removedstring_decoder@0.10.31(transitive)

• - Removedstringstream@0.0.6(transitive)

• - Removedstrip-ansi@3.0.1(transitive)

• - Removedsupports-color@2.0.0(transitive)

• - Removedtough-cookie@2.2.2(transitive)

• - Removedtraverse@0.3.9(transitive)

• - Removedtunnel-agent@0.4.3(transitive)

• - Removedtweetnacl@0.14.5(transitive)

• - Removedunzip@0.1.11(transitive)

• - Removedutil-deprecate@1.0.2(transitive)

• - Removedverror@1.10.0(transitive)

• - Removedwrappy@1.0.2(transitive)

• - Removedxtend@4.0.2(transitive)