nodejs
doc: nodejs.dev site says npx "allows you to run that npm command without installing it first" -- but that appears to no longer be true
copy paste from https://stackoverflow.com/questions/69006097/does-npx-no-longer-do-install-less-run
From the nodejs.dev site:
npx allows you to run that npm command without installing it first. If the command isn't found, npx will install it into a central cache:
They use this as an example:
npx cowsay "Hello"
But when I run that:
$ npx cowsay "Hello"
Need to install the following packages:
cowsay
Ok to proceed? (y)
Huh? Is there some preference that I need to set now? I'm used to npx running things without installing them, like they say on nodejs.dev. I don't really want to install cowsay in my globals.
Node v14.17.5
NPM 7.21.0
OS: Mac OS X 10.15.7
Hi @jcollum, npx will download and save executables of package in its cache but this package will not be available as global command.
~ npx cowsay "hi"
Need to install the following packages:
cowsay
Ok to proceed? (y) y
____
< hi >
----
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
~ cowsay "hi"
command not found: cowsay
@rodion-arr doesn't really answer my question regarding run things via npx without installing them. Did npx used to do some sort of temporary install?
~ cowsay "hi"
That part doesn't seem relevant at all.
~ cowsay "hi" command not found: cowsay
By this I've tried to show that cow say command is not available globally after it was executed by npx. However cowsay executables were cached and will not be redownloaded again with next npx call.
OK I'm going to start over:
The way npx used to work was that it would download an executable and run it with just npx dothething. Now it confirms the install. The docs don't mention that you need to confirm the install. Which tells me this is new behavior. If that's the case the docs need to be updated.
Is that clearer?
So you are complaining about missing confirmation step in the docs? It looks like original post was about installing the command globally, which is not the case as I've tried to show you. If you feel that docs are missing something - you're more that welcome to submit a PR and it will be reviewed by the team.
I think what @jcollum is trying to get at: does npx permanently install packages locally or just sort of temporarily download and run until the command is complete at which point it is removed from the system?
Maybe? I might be off too.
In the past I don't recall npx having the confirmation step about installing anything. But what npx is for is to execute a package without installing it first, meaning not having to install it manually with npm. It doesn't mean the package is not installed first just that you don't have to manually install it first. Additionally npx will prevent the command from being added to the $PATH variable so that it cannot be executed independently from npx.
Using npx also means you will always use the latest version of a package instead of having to do an npm update <package> first. If the package has been updated since the last time you used npx <package it will update the package first. However, if the package is already installed globally or is otherwise in the $PATH variable, then npx <package> will run the global/$PATH version instead.
Yes, that's the gist of it, thanks for clarifying.
On Mon, Nov 22, 2021 at 5:31 PM Zach @.***> wrote:
I think what @jcollum https://github.com/jcollum is trying to get at: does npx permanently install packages locally or just sort of temporarily download and run until the command is complete at which point it is removed from the system?
Maybe? I might be off too.
In the past I don't recall npx having the confirmation step about installing anything. But what npx is for is to execute a package without installing it first, meaning not having to install it manually with npm. It doesn't mean the package is not installed first (how else would it run?) just that you don't have to manually install it first. Additionally npx will prevent the command from being added to the $PATH variable so that it cannot be executed independently from npx.
Using npx also means you will always use the latest version of a package instead of having to do an npm update
first. If the package has been updated since the last time you used npx <package it will update the package first. However, if the package is already installed globally or is otherwise in the $PATH variable, then npx will run the global/ $PATH version instead. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/nodejs/nodejs.dev/issues/1849#issuecomment-976090481, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFMAAVMMCYYWESHIJXTAPTUNLVIJANCNFSM5EMSNR2Q . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
@rodion-arr I had the same issue as @jcollum and opened a stack overflow question
Just as @jcollum, I was completely befuddled as to why all of a sudden I was expected to download the package globally. The whole idea of having npx is that the consumer doesn't have to worry about the package polluting their global environment.
Asking whether it is ok to install the package does give the impression that it will be installed globally. Besides, if it just being installed in the cache as before then why even prompt the consumer whether they are ok with installing the package?
I think the new way of doing things is very misleading. Either the documentation should be updated or a better message should be shown
I'm not a JS guy, but when I ocasionally need a node tool and do not want the whole shebang permanently, I use npx. It was time once more. Now I'm just as confused as you all.
- Why call it 'install', if it's temporary?
- If temporary, when is it removed?
- Do we need to bother cleaning up so it doesn't stack in the sky?
Can we get a clear answer please?
Sep 10, 2021
Should be a fairly straightforward answer. Guess we could read the code, but I don't have time to read what the creator can answer in a second.
The docs still explicitly say and emphasize repeatedly:
Installation-less command execution
PS: I suppose it's not all that smart to run the latest version of anything from CLI anyway, but it's convenient. After node-ipc murdered the livelihoods of millions in the name of Ukraine we ought to rethink trust.
Is this new model some sort of semi-virtualenv? I'm trying to understand our available tools.
Edit:
answers for all
So I found https://nodejs.dev/ must be out of date. https://docs.npmjs.com/cli/v8/commands/npx seems to be current, and states:
If any requested packages are not present in the local project dependencies, then they are installed to a folder in the npm cache, which is added to the PATH environment variable in the executed process.
Looking at how the current cache works:
npm will not remove data by itself: the cache will grow as new packages are installed.
Ergo:
- It will install into the regular npm cache. (Which is not temporary as the name would suggest.)
- It will indeed stack up into the sky.
- You need to run
npm cache clean --forceto reset it. (But of course now you have to re-download everything. There is no option to just remove the 'npx temporary trash stuff'.) - It's not some sandbox at all, not limited to your current folder or anything. Beware.
Edit2: Even npm cache clean --force did not clean it.
Edit3: God the docs are not helpful.
So the npx cache IS separate, and it seems like rm -rf ~/.npm/_npx would suffice. But there is an entire package devoted to this 'bug': https://www.npmjs.com/package/clear-npx-cache Not sure I understand why, it doesn't seem to do anything more either.
Why the heck are we forced to clean up after a tool that is specifically marketed as temporary use?
Hey, @elandorr thank you for the comment. Indeed the Learn docs are outdated as they require manual intervention from contributors to keep them updated.
You're more than welcome to make a contribution, updating them.
No offense, but let me make this clear to dispel the 'community' myth:
- Microsoft owns npm, nodejs is owned by the 'openjs foundation' which is run by the 'linux foundation'.
- The 'openjs foundation' lists the entirety of the tech corpocracy's trillionaires as backers (MS, G, etc.). Money? Check. 'Trillions' is not a typo. Especially with Microsoft directly having vested interest, there is guaranteed to be infinite money available. And not like Google could work without it. Dependencies upon dependencies later, normal humans can live without node, corporations can not.
- These are all billionaire level corporate entities, not a community open source garden project like marketing loves to show it as.
- Corporate structures have plenty of ways to hide their true activity, but let's just use the 'linux foundation' as example: https://projects.propublica.org/nonprofits/organizations/460503801 Highly paid management that might never contribute one bit in real life? Check. Literally more than a hundred million dollars in revenue? Check.
I'm a random techie with hardly enough food to eat, struggling like most people in Europe and anywhere else today. Most people are not fancy marketing-biography-about-me-writers reveling in their middle-class complacency. They have very limited free time, if any. They don't show up in marketing or have time to sell their made-up alter-ego on twitter. There are actual community projects that are infinitely more deserving of help, than corporate ecosystems leeching off strangers' goodwill.
This has nothing to do with you, I have no clue what your relation to any of this is, but I'm done with the audacity of the rich and the fakeness in 'open source'. Great, they live in a bubble, I'm happy for them.
Real community open source still has no money in 2022 and typically dies young. Apparently donating to trillionaires for ego and some 'contributor' bling bling is more appealing than supporting ordinary humans. I personally avoid the temptation by using public github only for reports. With how insanely 'gamified' github has become, I can see how it's easy to get sucked into it.
Funny enough my simple questions from May 24 are still unanswered. Trillion dollar backing and still not making much sense, ironic. Meanwhile random 1-man projects from 20 years ago will explain every line to you, if you just listen.
Besides, how could anyone possibly write proper docs, if the original authors never answered the questions? Might as well do it right, or not at all. But then again, you get the bling bling if you fix a whitespace, too.
Have a good one.
Closing because this page is going away. https://github.com/nodejs/nodejs.dev/pull/2796
