On 08/09/2017 08:06 AM, Stephen Gallagher wrote:


On Fri, Aug 4, 2017 at 10:43 AM Troy Dawson <tdawson@redhat.com> wrote:
Although this looks tempting, it's only looking at half the problem.
Versions
Nodejs modules get updated all the time, at different rates for
different packages.
If you had just one package for many modules, it would be getting
updated at an alarming rate.
Point taken.

I think the better approach is carefully-controlled bundling in Fedora. As of a couple years ago, it is now permissible to bundle software together in Fedora if it meets certain conditions:
1) If the dependency is already packaged in Fedora and this software is compatible with that version, then this software must link against the unbundled version.
2) If the dependency is not yet packaged in Fedora but is likely to be useful to large amounts of Fedora software, it is strongly encouraged that it be packaged separately.
3) Other dependencies MAY be carried internally by the package that needs them, but that package MUST include `Provides: bundled(npm(modulename)) = version`

Rule 3) is so that if there is a security vulnerability in npm(modulename), we can find any and all software that is required to be updated. 

I haven't had any time to work on it, but I'd very much like to develop an automatic RPM dependency generator that will recurse down the node_modules directories, read their package.json files and automatically create those Provides. If anyone else wants to take a crack at doing that, it would be an immense help.
That sounds workable.  Thanks!  There are 502 npm dependencies of scuttlebot, 196 of which are already in Fedora.  I shudder to think of the Requires: list and the Provides: list!!