--no-install should be default behavior
yukulele opened this issue · comments
When I install a package locally with npm, I don't want to run it with ./node_modules/.bin/the-package
so I use npx: npx the-package
; I often use it: in terminal, in scripts, in makefile.
but if I forget to install the package or if I haven't done npm install
, npx seem to try to install it first, only for one use.
So I'm not really informed that the package is not installed.
I think this two works are totally unrelated:
- run locally installed npm package
- run not installed npm package
I want to do the first, not the second.
Some people want to do the second, not the first.
npm tries to done the first, else the 2nd ; who need that?
Security issue : If I make a typo, I'm likely to download and directly launch any unknown package.
Another problem is that the package name is not always the same as the executable; for example if I install pug-cli, I can do npx pug
, if it is not installed, it will try to install pug (which only contains the js library), so this is not the expected behavior.
For all these reasons, I suggest that by default, npx only runs local packages, and displays an error message if the package is not installed locally.
Personally, I'm not sure I understand the usefulness of the "install&run" behavior (I never use it), it could possibly be called with a parameter but I think it would be better to create a new package for it.