Corepack is dead, and I'm scared
Summary
TLDRThe video script discusses the demise of 'corpack', a feature in Node.js designed to streamline package manager usage across projects. Despite its popularity, corpack is being removed due to ongoing debates and technical concerns within the Node community. The decision has sparked controversy, with many developers viewing it as a step backward, especially for those who rely on alternative package managers like pnpm or yarn for complex setups. The video also touches on the Node team's evolving recommendations for package management and the importance of community engagement in such decisions.
Takeaways
- 📦 The script discusses the history and current state of npm and its attempts to standardize packaging solutions, highlighting the emergence of alternatives like pnpm, yarn, and bun.
- 🛠️ Corpac, a built-in solution in Node, allowed specifying a package manager and its version within a project, facilitating easier project hopping and open-source contributions.
- 😔 Corpac is now facing removal from Node, which is a significant setback for developers who relied on its convenience for managing different package managers across projects.
- 📝 The script mentions a heated debate within the Node community regarding the enabling of Corpac by default, which aimed to streamline the setup process for new developers.
- 🔄 The Technical Steering Committee (TSC) of Node confirmed they have no plans to remove npm from distribution, which is a key point since npm is bundled with Node by default.
- 🚫 The decision to remove Corpac from Node has been delegated to the package maintainers working group, who have outlined a roadmap for its eventual removal in the next major release.
- 🔄 The script points out the irony that the push to enable Corpac by default has led to its complete removal, contrary to the community's intentions.
- 🔧 The creator of pnpm, Zoltan, is now working on adding version management to pnpm independently, as Corpac's removal means reliance on it for version management is no longer viable.
- 🗂️ The Node download page is being updated to recommend installing Node via version managers and to provide instructions for installing other package managers like yarn and pnpm.
- 📖 Corpac's documentation will be moved out of the Node API docs to avoid confusion, as it is a separate project from Node.
- 👎 The decision to remove Corpac has faced significant pushback from the community, with many users expressing disappointment and concern over the impact on Node users and the ecosystem.
Q & A
Why was corac considered a valuable tool in the JavaScript ecosystem?
-Corac was valuable because it allowed developers to specify a package manager and its version within a project, enabling seamless installation of the correct package manager and running it across different projects, which was particularly useful for monorepos and Windows environments.
What are some alternatives to npm that are mentioned in the script?
-The script mentions bun, pnpm, and yarn as alternatives to npm that are considered to work better in terms of speed, reliability, and handling complex setups.
What was the original purpose of corac in the context of Node.js?
-The original purpose of corac was to provide a solution for developers to use different package managers within their Node.js projects without having to manually configure each one, thus simplifying the process of managing dependencies.
Why is corac being removed from Node.js, according to the script?
-Corac is being removed from Node.js due to a combination of technical and community-driven reasons, including concerns about reproducibility, security, and the fact that it was not as widely adopted as expected.
What is the significance of the 'corac by default' proposal that was discussed in the Node.js community?
-The 'corac by default' proposal aimed to make it easier for developers to use Node.js with corac enabled, so they could simply run 'corac install' without additional configuration. This would have encouraged more projects to adopt corac and potentially reduced the reliance on npm.
What was the outcome of the discussions around 'corac by default' in the Node.js community?
-The discussions around 'corac by default' led to the ironic outcome of corac being removed entirely from Node.js, instead of being enabled by default, due to various concerns and lack of consensus.
What are the implications of removing corac from Node.js for developers?
-The removal of corac from Node.js implies that developers will need to manually configure and install the package manager of their choice for each project, which could increase complexity and reduce the ease of contributing to different projects.
What is the role of the Node.js TSC (Technical Steering Committee) in the decision regarding corac?
-The TSC confirmed that they had no intention to remove npm from distribution, which indirectly influenced the decision around corac, as corac was seen as a potential replacement for npm in certain scenarios.
What steps are being taken to phase out corac from the Node.js distribution?
-The steps include updating the Node.js download page to recommend version-managed installations, moving corac documentation out of the Node API docs, and eventually removing corac from the Node distribution in the next major release.
How can developers continue to use corac after it is removed from Node.js?
-Developers can continue to use corac by following the instructions available on the Node download page or in the corac repository, as corac will still be available as a separate project from Node.
What is the sentiment among the community regarding the removal of corac from Node.js?
-The sentiment is mixed, with some community members expressing disappointment and viewing the removal as a step backward, while others see it as an opportunity for corac to evolve independently and for the community to find alternative solutions.
Outlines
😔 The Demise of Corpac in Node.js
This paragraph discusses the end of 'corpac', a tool integrated into Node.js that allowed developers to specify and utilize different package managers within a project. Despite its utility for managing complex setups and contributing to the JS ecosystem, the Node community faces the removal of corpac from the Node distribution due to various reasons including pushback and a lack of consensus. The paragraph highlights the debate over enabling corpac by default and the decision by the Node technical steering committee to keep npm bundled with Node.js, which has implications for package management in the future.
📉 Corpac's Removal Roadmap and Community Reaction
The second paragraph outlines the roadmap for removing corpac from Node.js, as proposed by the package maintenance working group. It includes changes to the Node download page, separating package managers and version managers, and updating documentation. The community's reaction to corpac's removal is mixed, with some seeing it as a step backward, especially given its popularity among experimental features. The paragraph also touches on the irony of the situation, where efforts to make corpac the default led to its complete removal, and the ongoing discussions and pushback against this decision.
🚧 The Future of Package Management in Node.js
The final paragraph delves into the implications of corpac's removal and the future of package management in Node.js. It discusses the decision-making process within the Node community, the lack of representation from key stakeholders like yarn and corpac maintainers, and the challenges of solving technical issues without their input. The paragraph also mentions the efforts to adapt to the new situation, such as the work by pnpm's creator to add version management without relying on corpac. It concludes with a call for better collaboration and representation in the Node community to avoid such setbacks.
Mindmap
Keywords
💡npm
💡pnpm
💡corpack
💡Yarn
💡monorepo
💡package.json
💡OpenJS Foundation
💡Technical Steering Committee (TSC)
💡reproducibility
💡version management
💡Node.js
Highlights
npm's attempts to create a standard packaging solution have been chaotic.
Developers are advised to use alternative package managers like bun, pnpm, or yarn over npm due to better performance and reliability.
Corpac, a built-in Node solution, allowed specifying a package manager and its version within a project.
Corpac facilitated easy transitions between projects using different package managers.
Support for Corpac in Node has been difficult, with resistance from various parties.
Corpac is being removed from Node, marking its effective end.
The Node community engaged in a heated debate over enabling Corpac by default.
The proposal to enable Corpac by default aimed to simplify the setup for developers.
Node's TSC confirmed they have no plans to remove npm from distribution.
Npm and Node are bundled together, but developers often opt for other package managers post-Node installation.
Corpac's removal is seen as a step backward by many in the Node community.
Zoltan, creator of pnpm, is working on version management for pnpm independent of Corpac.
The TSC delegated the decision on Corpac to the package maintainers working group.
A roadmap has been outlined for removing Corpac from Node in the next major release.
The Node download page is proposed to be revised to encourage version-managed installations.
Instructions for installing yarn and pnpm as package managers are suggested to be added to the Node downloads page.
Corpac documentation should be separated from the Node API docs to avoid confusion.
The PR for removing Corpac has received approvals, indicating its potential merge despite community pushback.
The push for enabling Corpac by default inadvertently led to its complete removal.
Many community members view Corpac's removal as a regression that will harm Node users.
There is a call for Corpac team representatives to participate in decision-making meetings.
The decision to remove Corpac is based on the consensus that it should evolve independently of Node.
Transcripts
o boy node drama everyone's favorite the
story in the history of npm and their
attempts to make a more standard
packaging solution have been a bit
chaotic realistically speaking most devs
shouldn't be using npm directly anymore
when we have things like bun pnpm hell
even yarn we have a lot of solutions
that work better not just like faster or
cooler but are more reliable for a lot
of complex setups like monor repos or
using Windows these types of things
aren't things that npm itself does great
thankfully there was a solution built
into node the solution was called corpac
the reason corack was cool is that it
let you specify a package manager in the
version of that package manager inside
of the project so I could run cor pack
install on five different projects one
uses yarn one uses npm and the rest all
use pnpm and it would work and it would
install the right version of the package
manager and run that and for that reason
cor pack was awesome it made hopping
between projects contributing to open
source and generally just contributing
the JS ecosystem significantly EAS
in case you've missed my other videos
about corpac which by the way you should
go watch those they're good getting
support for this in node has been kind
of like pulling teeth there's been a lot
of push back for some good reasons and
some not so good reasons and
sadly we lost today I have to break the
really sad news that corac is
effectively dead because it is being
removed from
node I hate this huge shout out to
socket. deev for writing this article
Sarah wrote this really good article
previously about the drama and I had
already filmed a video about it and her
article was so much better that I redid
it and now I have to do a new video
because Sarah has a new article in the
news is more heartbreaking because node
has started taking steps to remove
corpac from the distribution aiming to
have it removed entirely by the next
major release following a discussion in
the openjs slack the node package
maintenance working group members have
formalized a plan for eventually
removing corpac in February the node
Community engaged in a heated debate
over a proposal to enable Cor P by
default which was opened in November of
2023 the goal of corack by default was
to make it so when devs were using node
they could just corack install without
having to go configure and set up
specific things because corack wasn't on
you had to enable it in your node
install the goal was to make it enabled
by default so more projects could start
using corack by default so you would
pick npm but all your commands would use
corac and then devs could just clone
your project and be good to go this
discussion included the question of
whether npm would be provided through
corpac moving forward as some
contributors hold the opinion that the
eventual goal of its integration was to
uncouple node and npm from each other in
March nodes TSC the technical steering
committee confirmed that they had no
intention to remove npm from
distribution this is an important note
for those who don't know npm isn't a
thing you install separately from node
npm is part of node they come bundled
together they are two different binaries
but when you install node it comes with
npm when you install npm it comes with
node they are meant to come together but
we don't use npm once we've installed
node we install a different better
package manager mode most of the time
now so it's kind of weird that a bad
option comes by default and we're
expected to swap it out with something
better going forward it's very strange
as such it seemed like corac would allow
you to just not include mpm and so we
would include corpac and if the project
that you're working on uses npm it would
install it uses pnpm it would install it
Etc this would immediately destroy the
adoption of npm because who needs npm
anymore if corpac makes it just as easy
to use other options this did come out a
potential cost though I cover this in
the other video
which is that if you just have node
installed and you're using npm and using
everything the stock way all you have to
specify is a node version and now your
build is reproducible if I have an old
project that uses node 16 and it uses
npm I can spin up a box with node 16 and
I can install and run that project
totally fine if we use pnpm I have to
also install pnpm and I also have to
make sure it's the right version of pnpm
which is annoying that said corack made
it way easier to do such because you
could specify the version and the
package manager in the package Json and
now you can use that as the necessary
piece to do a reproducible build but
since there are old projects that don't
have that theoretically this would be a
breaking change but since they already
have to bump node versions it's not a
breaking change I thought this
argument was really really bad I'm doing
my best to State it in good faith and to
steal man it but I think it's
zultan is the creator of pnpm and since
corpac is dead he's working on adding
version management to pnpm that doesn't
need corpac anymore because right now he
relies on corpac because we thought
corpac would be the Blessed version
because it's the stand that's built into
node but sadly he has to build it
himself now because corac isn't going to
fix this I am excited about this I've
had problems where I was using the wrong
pnpm version accidentally and now he'll
be fixing that because he has to just
annoying that he tried as hardest to
build into the standard and his solution
won't work anymore because the
standard's being deprecated because the
node team changed their minds back to
this the TSC delegated the decision
regarding corpac to the package
maintainers working group as the
discussion evolved in a PR titled
feature next steps for version
management progress the package
maintenance working group members have
outlined a road map that leads to
removing core pack from the node
distribution in the next major it's part
of achieving the second goal which is
install node and a package manager for a
local development environment and
following up on the proposal to revise
the downloads page we propose the
following next steps you should revise
the node download page to split apart
the operating systems package managers
like Homebrew and chocy onto their own
tab separate from the node version
managers like VM and F&M and the version
manager tab should remain the default
this will further nudge users towards a
recommendation of installing node in a
version managed way I think they've
already started some of this stuff if
you go to the node download page they
overhauled it with the most recent
release where now you pick the node
version you want you pick the OS that
you're on and you pick how you want to
install it you can install it with Brew
or other things see this though home
brew is not a node package manager Ure
it's already installed in your system
yada yada cool they do that but it's
nice that the NVM solution here is the
default and also cool that F&M made it
in F&M is my preferred node version
manager it's just really fast and
relatively convenient and it's more
willing to switch node versions for you
where NVM you have to remind it which
version you want to be using so
personally I prefer F&M I get why they
put MVM first it's bit more standard but
it's cool they updated this page to show
you how to install things without
downloading and installing node directly
this is the right way to do it your node
version should be managed because you
don't just want to be on latest you want
to have the different versions for your
different projects this is hilarious
node team just use the standard stop
making new things like bun seconds later
Hey guys you're not going to like this
yeah yep more things they specified in
this PR on the downloads page they
should add instructions for installing
yarn and pnpm as package managers to use
for a project these instructions should
follow whatever recommendation we
receive from those maintainers corpa
documentation should be moved out of the
node API docs and into its own website
or accessible as a markdown file in the
corack repo corack is a separate project
from node and intermingling its
documentation within node is confusing
we don't do that for npm even though we
distribute that and then once all of the
above is complete we should remove
corack from the node distribution
starting in the next major release users
who wish to continue using corack can do
so via the instructions available on the
Node download page or in corack stocks
this will reduce the maintenance burden
on the Node project and allow corack to
evolve
independently the whole point of corack
is that it came by default so we could
use it to use whatever we preferred if
it doesn't come by default it's yet
another step that makes no sense we're
installing a thing to install things to
install things now what the
I'm upset the pr has received five
approvals one more than required to get
this merged according to the group's PR
merging policy it must also have no
blocking reviews still open though it is
not merged yet thankfully you can see
the down votes and up votes do not go
down vote bomb this I'm not even going
to link it in the description please
don't spam them because I'm making a
spicy video I'm just another guy I'm
probably misrepresenting things here I'm
just giving my opinions as a user of
node and a user of corac I'm upset it is
what it is I'm
sorry in a surprising turn of events the
discussion around enabling corpe by
default became an important Milestone
that precipitated this decision this is
really funny hard fist cut an issue
trying to push them to enable corack by
default and the result of this issue is
that they're going to remove it entirely
and it is kind of ironic that our goal
of making corpac more normalized has
resulted in corpac being removed
entirely how we got here is absurd but
we are here this picture this was so
good enable corack by default the
dominoes fell and now we don't get
corack at
all thankfully the pr is receiving push
back several commenters on the pr noted
the relative popularity of corpac among
experimental features of node marcoo
shared data from the latest survey
saying it seems corack is pretty
popular see how popular corack is
compared to a lot of these other
features like watch mode and EnV files
are popular too but corack is within the
most popular features out of the
experimental set in doubt
others have continued the discussion in
previous PR for removing corpac which
has been in discussion since March
Matteo notably reversed his support for
corack 2 months ago due to its support
for downloading the package Managers
from sources that are not npm this was
upsetting to him again for the
reproducibility argument where if you
were downloading or requiring a download
from pnpm from somewhere else and the
other place went down even if npm is
still up your builds are now broken also
because as other sources aren't
controlled by them theoretically one
could be compromised and swapped and
then doing something that seems totally
innocent like installing node and then
running a project might result in a
compromise service installing a binary
on your computer the alternative that
they had proposed was bundling all the
major package managers inside of node to
prevent this which is utter
chaos and he has changed his
mind those who are happily using corack
see its removal as a step backwards I've
been using pmpm exclusively through
corpac said A Commentary last week the
main reason is that npms basically
become unusable over the years it's
incredibly slow often giv confusing
error messages and sometimes just gives
wrong non-deterministic results forcing
people to use npm to install the package
manager they actually want to use is a
terrible step backwards the previous PR
calling for corpex removal has seen a
reactivation of discussion after the
package maintainers working group moved
to approve actions on its road map I'll
also add my deep disappointment with the
sad State of Affairs said Nick ribal
lots of people chose not to use npm for
lots of valid reasons for this crowd
corpac has been nothing short of a
Lifeline which this PR aims to sever
it'll be a terrible regression and it
will harm many node users it is actively
hostile and I wish more people realized
that all very fair and valid points
there are so many reasons to use pnpm
from the monor repo support to the
sharing the package cash so if you have
five versions of a project you don't
have to have 5x the npm the node modules
like all these things make corack and
make other package managers really valid
options and it doesn't feel like we're
getting a happy path out of this an
attempt was made and after a couple
roadblocks were hit instead of powering
through them we are getting
this is a picture from one of the
node maintenance team meetings you can
watch all of these on YouTube they
publish all of them they're all quickly
done Zoom recordings but they're a
useful resource if you're a nde like me
they also get like 30 views instead of
the 30 to 100,000 this video will get so
different world but if you are on
YouTube and you're interested in seeing
these meetings for real you can go find
them on YouTube over the past two weeks
a strong contingent of package maners
working group members have come to this
consensus that corac is better off
evolving independently to understand the
decision it's important to dive deeper
into the conversation that led to the
consensus the original corpac goal was
to make users lives easier but now
there's more historical context around
how it was added corpac did exist prior
to being included with node and it is
technically a separate tool says Dary
Clark it didn't have a ton of time in
the ecosystem to be baked before it was
pulled in but it did exist and it does
exist separate of node core so you can
still access it and in fact you can get
the latest version of of it independent
from the node distribution pulling it
out of core I don't think that prevents
anyone from continuing to use corack now
that you have to install it separately
it absolutely does the goal of the
default thing of making it on by default
was to reduce the number of steps before
somebody could contribute to a project
that had corpac enabled now it's two
steps instead of one the goal is to make
it zero steps but it got bumped to One
Step because you have to enable it with
the feature flag and now it's going to
be two steps you have to install it and
then set it up right
obnoxious Jordan Harbin noted that with
a few rare exceptions yarn and corack
maintainers haven't shown up to the
meetings where decisions are being made
for the better part of a decade
prioritizing collaboration on GitHub and
Twitter the yarn people don't get
involved in much nowadays I'm surprised
the corack guys aren't showing up but
that's sad I want these people in here
to collaborate said harband I want us to
share our ideas and it's pretty
difficult to iterate on something where
the people running it are under
represented in these standard Arenas I
totally agree it's sad that they didn't
show up I'm sure there's good reasons
for it I wish we knew what those were
but it sad they weren't there West Todd
expressed his similar sentiment in the
meeting regarding the working group's
willingness to solve the technical
issues hindered by the inability to
bring important stakeholders to the
table let's find the actual edges of
these technical problems and let's see
if we can solve them said Todd I really
hope we can the chunk here is them
saying that it's hard to make decisions
without them in the room and usually
we've just Fallen back on let's call for
a
vote Todd left a plan of events on here
they're going to adapt point 4 into a
few additional steps around the stages
of changing the recommendations we'll
recommend blocking the pr and directing
folks to this group for further
discussion on the topic to prevent
swirling from the ecosystem sorry for
contributing there I am sorry but this
is importance to talk about they also
need one or more champion from the
coreback team to help drive the
conversation if we need to adjust
meeting times or discussion forums we
can do that to make it happen this is
going to be a fun one I don't got
anything else to say once again huge
shout out to the socket Dev crew for
writing this for me I really appreciate
them if you're not already checking out
s.dev you should they're a great
solution for security dependency and
they also do great coverage of these
things and again thank you to Sarah for
writing this up as quickly as you did
until next time make sure you're using
good package manager and make sure
you're using the right version too
because cor Pack's not going to carry us
there
anymore peace nerds
5.0 / 5 (0 votes)