The the Node.js guidelines say about Source0 :
"The canonical method for shipping most node modules is tarballs from
the npm registry"
"This method [PP: tarbals from npm] should be preferred to using
checkouts from git or automatically generated tarballs from GitHub."
But I think that in following cases it would be better to use sources
from the upstream project:
1) When the license is not included in NPM but is in upstream project.
o Because we are not supposed to ship the license separate from the
2) When the tests are not included.
o In this case we need to download the sources from NPM and from
upstream project, which seems redundant and a waste of work.
3) When NPM content is generated and source files are not in NPM.
o This would mean to download sources from NPM and upstream project,
delete the NPM sources in prep and generate the files again.
Are there good reason to enforce the use of NPM sources which I am
missing? What is your opinion?
I would like to suggest to ad those three exceptions to the guidelines.
After a conversation with Tom Hughes the other day, I started looking at Node.js
5.7.1 for Fedora 25. One of the things we discussed was that it probably makes
sense for us to switch to carrying the bundled version of npm with the nodejs
package, rather than trying to maintain its ever-growing list of dependencies
without breaking npm itself.
I put together a COPR that all of the Node.js SIG member have access to at
Right now it has packages that should install on F23, F24 and Rawhide/F25 and
will replace the npm package.
Please test your noarch and binary modules and let me know if anything is
broken. Also, if you are a member of the Node.js SIG, feel free to rebuild your
binary modules in the COPR to pick up the new Node.js ABI version.
These packages can be installed with:
`dnf copr enable @nodejs-sig/nodejs-latest && dnf install nodejs`