i've seen the npm complaints too, but it wasn't something I wanted to go near.
Which modules use the NPM artifacts, and who is using them in production? As if they are orphan, we need to discuss what to do. On Tue, 27 Jun 2023 at 21:59, Wei-Chiu Chuang <[email protected]> wrote: > Hi, > > First of all, I am not familiar with YARN code so I'm not really in > the position to make such a claim. But while releasing Hadoop 3.3.6, I > found that a number of YARN modules are seldom updated nor maintained. > > 1. There are hundreds of npm javascript module vulnerability alerts in > GitHub repo, many of them at critical level. > 2. There are very little bug fixes and features in YARN applications, YARN > CSI and YARN registry. There are only occasional updates due to typos, or > dependency updates, which suggests that they aren't being actively > maintained. > > I wonder if there are developers actively using or maintaining them. Would > it make sense to move the code to a separate repo and a different release > line? Or even deprecate them? Because having ill-maintained code is a > burden for release managers. > > Thoughts? Looking for feedbacks > Weichiu >
