npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Request to change "I sure hope you know what you are doing" warning message...


We have a dedicated build cluster for our internal projects. These machines are managed by our DevOps team, and for them using NPM is a bit of a new experience.

But basically they require that the machine be in a pristine state before starting a build. And we have run into a couple of issue that looked fixed after running “npm cache clean --force”. I understand that this might have been simply fixed by re-running the build, but I also see their point, and so we’re probably going to add the cache clean command to every build script that uses NPM.

So the next issue is our DevOps really doesn’t like the “I sure hope you know what you are doing” warning message. Is there any way we can make that message a little more helpful? Like what actually is the downside of cleaning the cache… I assume it’s nothing more than causing the next “npm install” command to download everything and thus be slower. If that’s the case, can we change the message to just say that, like “The next call to npm install will be slower due to needing to download all packages from the Internet” or some such…?

Thanks for your consideration.


(Moved to #ideas, thanks for suggestion)

The issue here is that --force abandons a lot of safety features in various commands. For example, it allows you to clobber files, delete things that should usually not be deleted, let npm audit fix install packages that are outside of the approved version ranges, and so on.

The origin of the “I sure hope you know what you’re doing” message is that, once upon a time (and probably still today), people would get into the habit of doing things with --force out of superstition or “make the bug go away”, without thinking it through. A warning message saying “this is dangerous!” proved to be less effective than communicating “If you know what you’re doing, then ok, you’re the human.” The goal is to instill a healthy feeling of self-doubt and trepidation. Feedback over the years is that this message has been effective in getting people to slow down and think about when they’re using --force and maybe shouldn’t be. (In fact, this message from your devops is one great example!)

If you’d like to avoid the message when using --force, and you really do know what you’re doing, then you can replace npm cache clean --force with npm cache clean --force --loglevel=error, or simply rm -rf ~/.npm.

A comprehensive message is displayed when running npm cache clean without specifying --force. And really, I know you’ve probably already had this conversation, but you truly do not need to do this, and it does not really satisfy the goal of “pristine state”. If you want a pristine state, it’s better to spin up a new VM or container from a known image. Blowing away the cache isn’t guaranteed to achieve this, and can only increase your server and bandwidth bills.

Thanks for the reply, and the info. Good stuff.

Thinking about using VMs and/or containers… that’s a really good idea.