Fixed up some perf issues and benchmark bugs in the new-streams reference impl ... some highlights running comparisons on @nodejs.org @deno.land and @bun.sh ... note each column is just looking at the one runtime, not comparing runtimes against each other ...
When does slop become soup? Like... delicious soup
Appreciate it! <3
Note: for those last benchmark screenshots I shared, the labels are:
- "vlt": our hosted registry
- "npm": the npm public registry (`registry.npmjs.org`)
- "AWS": AWS Code Artifact
We've got a bit of a backlog of docs/marketing/comms but if there's anything specific you're interested in or want to know more about, fire away.
For VSR, we're going to continue maintaining that as a lightweight self-hosted option (great for testing/local dev) but we've been primarily focused on our hosted registry/service.
Perf & security again are top of mind. Initial benchmarks show significant wins against npm/AWS. More on this soon.
In regards to the CLI, we've made a bunch of perf improvements & stabilized the lockfile (ref. benchmarks.vlt.sh). There's more to land before the end of the quarter but we're faster & more secure in a lot of ways (ex. blog.vlt.sh/blog/vlt-build)
ππ» Much work has been in progress. We've been queuing up for a v1.0 launch here for awhile & in the midst of crunch time at this very moment.
π Coming in the next version of tsdown: built-in Node.js SEA (Single Executable Applications) support!
Now you can bundle your JS apps into a standalone executable with a single command:
tsdown --exe
i built an entire x86 CPU emulator in CSS (no javascript)
you can write programs in C, compile them to x86 machine code with GCC, and run them inside CSS
lyra.horse/x86css/
What would the argument be there? I think the majority of legitimate post install scripts are for mounting native add-ons & bundling, although historic, is essentially vendoring (a legitimate practice as well). I get not running any scripts but wondering what's the nuance with these specifically?
Yea... this was/is a thing. It was "removed" on the website at some point before I joined. That said, you can still find references in the website to it (since it was only visually removed) & the endpoints / CLI commands still exist & work.
Overall though, it's pretty trivial to query projects for the purpose of unearthing these mutable deps.
ex. `vlt query ":not(:type(registry))"`
Not sure how deno is thinking about this but we're purposefully trying to avoid tacking a bunch of one-off configs whose purpose overlaps w/ each-other.
ex. `vlt build ":type(registry)"` will only run the install scripts of packages that are registry deps. Our default for `build` is actually ":scripts:not(:built):not(:malware)" which doesn't catch git/remote deps since they aren't scanned by our metadata partner (Socket) - we can/should change that.
DSS selectors essentially unlock the underlaying data associated with the dependency (ex. it's spec/type/metadata) as well as it's relationships in the graph making it trivial to express complexed/nuanced queries easily.
For @vlt.sh our policies will use DSS (docs.vlt.sh/cli/selectors). Most cmds already support a `--target` &/or `--scope` flag which use it too. `install` is the laggard since applying complex graph mods during resolution is hardβ’οΈ (note: we might just do it post resolution like we did for `build`).
Most package managers already categorize the dependency by it's parsed spec (ex. npm's `npm-package-arg` or our internal `@vltpkg/spec`); we just need to create policies to gate installations based on that information.
www.npmjs.com/package/npm-...
www.npmjs.com/package/@vlt...
You're right that the solution is to not install these by default unless expressly configured/opted-in to. I have previously considered what it would look like to create an override definition on behalf of the user for git deps (making the consumer aware of/own that resolution long term).
I've done many talks on this before but it's still very opaque to end-users just how much power they give their package manager. Should also be noted that many security tools fail to index/scan git or remote deps ahead of time.
Any reason npm's native stars weren't used? ie. `npm star <pkg>` / `npm stars <user>` - this count is already available/shows up in Packuments under the top-level key "users" & is tied to npm accounts (so secondary inference/insights are trivial)
Agent skills are the new postinstall scripts... #changemymind
What do people use to stay up to date with/monitor socials these days? My feed is π₯ with AI tools & I feel like my meat brain & thumbs can't process the thousands of experiments/insights. Do I just spin up OpenClaw & make it monitor socials w/ daily recaps?
Pie chart. 3.3M NPM packages. 81% of packages has less than 10 downloads per week. 12% between 10 and 100. 3.2% between 100 and 1000. 1.8% between 1000 and 10K. 1.1% between 10K and 1M and 0.2% over 1M
Doing some analytics with #NPM and this is the distribution of how many downloads NPM packages typically get.
The @vlt.sh benchmark suite has been updated to include the yarn v6 canaries (still a WIP & improving all the time): benchmarks.vlt.sh
IYKYK
Notably, we weren't sharing this widely as we are still pre-1.0.0 & have many optimizations to make ahead of that milestone which we think will make us much more competitive/comparable to `bun`. I'll be interested to see how yarn v6 stacks up here imminently...
We (@vlt.sh) have put together a pretty extensive set of benchmarks; I'm in the midst of add yarn v6.x right now: benchmarks.vlt.sh#/package-man...
Of course, all benchmarking is tough given the nuances of the feature-sets but we do a best effort to configure the instances to be competitive.
I was recently on the Changelog podcast to talk about npm's security issues, what can be done, and why the npm registry is unique amongst programming language source code registries.
