global package.json for npm-audit and dotfiles usage


(Copot Matei) #1

I just went through the process of migrating from a computer to another via dotfiles, and I realized that of course all of the commands I use and love that I installed from npm i -g were gone. Something that bothered me was how easily this could have been avoided, if global installs actually left a package.json somewhere I could have added to my dotfiles and installed from

The idea only occured about an hour ago, and I’ve explored a bunch of other possibilities, such as creating a package at ~, and aliasing a command like npmg to install things only there, which could work, but seems like a hack that can be easily avoided, and might break some other automation steps.

As a side-note, npm-audit -g and other analysis tools are not currently working at a global level, and this could be improved, I think, by providing that package.json

I’ve also been trying to think of reasons why this is not a thing right now, and I can’t think of many reasons.

One of them is security. If someone can modify your global package.json without you noticing, this can lead to bad things happening, but on that note, there’s far more dangerous things someone can do if they can write to your whole system. Maybe even seeing it could be bad, but we already have a list of them by folder rather than as names in a json file, which only discourages people trying to create good tools, rather than people who might want to harm you

Another one might be that it could add confusion, as global-level node_modules are treated differently from standard ones (afaiu), and I think it might come down to this, but a solution would be to call the file package-global.json or similar.

Maybe it’s just that the npm team has more important things to work on? Maybe nobody has expressed this problem before? I’m not sure why this isn’t a feature yet. I’m interested in reasons why this might be bad