Decide which package manager to use. Both OpenCensuse Node and opentracing-javascript are using npm.
Originates from https://github.com/open-telemetry/opentelemetry-node/pull/2#discussion_r290065691
+1 for yarn
+1 for yarn
+1 for yarn
+1 for yarn
+1 for yarn
_Some OSS libraries use npm over yarn to avoid an extra dependency for contribution. I think with documentation this gap can be bridged, also probably yarn is popular enough today.
As yarn is faster which would make it more convenient to manage our many packages and it's dependencies. I advocate for it._
+1 for npm because it's still the standard.
Ease of use: In large deployments at customers, installing open telemetry will be part of the build system. DevOps engineers just got used to npm. Why make them install another dependency?
Security: While yarn just uses cloudflare to point back at the npm registry, I have seen cases where the build systems at customers had very strict whitelisting in place and only allowed outbound calls to the npm registry. e.g. it was impossible to make them whitelist one of our servers to pull an additional dependency via URL. In such scenarios npm will be always whitelisted while yarn is way more likely to be not allowed.
Politics: There are people that feel better depending on a independent entity like npm compared to yarn which is owned by facebook.
As an APM vendor I would stick to the standards and go with the lowest common denominator if I want to avoid confusion amongst my customers.
@danielkhan I believe we are just discussing the client we will use in scripts defined in package.json and with lerna. All customers will be free to use either yarn or npm to use OpenTelemetry
Has a decision been made here?
The decision is to go with yarn. This was reconfirmed in today's SIG meeting.
Most helpful comment
The decision is to go with
yarn. This was reconfirmed in today's SIG meeting.