I mean, speaking as an oss maintainer, there is an infinite list of things msft could do on npm and gh to make our lives better, but we might just have to accept that we’re on our own and have to deal with those platforms mostly as they are and dependency cooldown is just a pragmatic approach. :)
Packages published less than 72 hours ago
For newly created packages, as long as no other packages in the npm Public Registry depend on your package, you can unpublish anytime within the first 72 hours after publishing.
There are 231+ packages that depend on this one, and I imagine they mostly use permissive enough version ranges that this was included.
I have had to do this, well over a decade ago now, when working at a place that was a pretty big deal in the node world, and node was still pretty new. They helped us.
I would imagine GH would do the same if its a high enough profile issue.
Yep, we had to do this recently with Renovate, where we had too many releases, and new publishing hit a size limit on the registry, so we needed support to help us unpublish a load of old releases
I think you’re looking for Laravel, with its many many official packages and the thousands of community packages, which are often full features including an optional frontend for it. :-)
From what I see, this does not help with pinning the dependencies and it doesn’t verify the downloaded action has the same content as it used to have. In other words, this is a tiny patch on a big wound.
We use commit hashes to pin actions, have the version as a comment (e.g # v4) and renovate will keep both up to date in the PRs.
And there is a more or less recently added repository setting to require actions to be pinned to hashes.
I don’t want to throw process at the problem. I think GH should provide a better system not the developers locking down dependencies and adding extra processes and steps to update the CI via a PR workflow. Not like PRs became the development bottleneck anyways for a lot of development teams these days. I wonder how we functioned 15 years ago with trunk based YOLO development.
I also think that it wasn’t the best idea to base versioning on mutable branches and not introduce a registry in the middle. Think about it. The whole system is build on node anyways. But we pull “dependencies” via a weak git clone system.
You don't use actions pulling in unpinned dependencies outside of trusted distro package manager at runtime.
I believe this problem is probably overstated. Can you point us to such an action you are concerned with that has either transitive actions dependency or unlocked npm dependencies where maintainers aren't responsive to addressing PRs to illustrate?
