I’m with Sindre Sorhus that small modules are easy to reason about, but there are better ways to avoid the cascading effect that unpublishing can have besides increasing the amount of copy/paste coding in world.
For corporate projects, third-party modules stored on third-party module repos should not be a dependency for building
and deploying. Storing third-party dependencies locally in some form solves the problem of third-party modules on npm which disappear. Check the third-party code into source control or use a private NPM repo. Using
to require precise versions is a good idea.
For open source modules, I would like to see distribution options that include downloading the entire dependency tree in a single tarball. The tarballs would contain a stack that has been tested and approved by the module maintainer, so you don’t end up downloading a combination of dependencies that no one ever tested or intended you to use. A module being unpublished would not affect this case, as an approved version would continue to remain in the tarball.
Open source projects don’t need to wait for module repos to offer this feature, they can upload and link to their own copies.
The project tarball could itself contain vetted tarballs of dependencies inside, ready for
. And yes, signed packages would help make sure that you all packages you are getting are from the authors you expect.
We’ll be a more resilient community if we all take care to make sure that key dependencies for our projects are locally available so that further disruptions at npmjs.org are not felt so widely.