[BUG] "npm uninstall" do not remove all files about cli HOT 7 CLOSED

Please fill out Steps To Reproduce otherwise we have no way of reproducing this.

from cli.

I am using the latest npm You are using npm 9 and node 18. Neither of those are the latest.

from cli.

There's a few things to note:

• npm should come with node, and not be installed with apt (node also should not be installed with apt)
• you're installing from a URL, instead of from a registry - for this one, you want npm i hallmark
• npm i installs something locally. local things are not available on your PATH. if you want that, use npm i -g - but global installs are an antipattern, and instead, try npx hallmark

from cli.

• npm should come with node, and not be installed with apt (node also should not be installed with apt)

As upstream you really recommend not to install from the GNU/Linux distros package repository? This confuses me. Then why doing the Debian maintainers investing resources to bring your package into their repo. Installing from upstream (if available via apt) is not the way it goes at Debian.

• you're installing from a URL, instead of from a registry - for this one, you want npm i hallmark

That is correct and on purpose. Not using 3rd party repositories for security reasons. I do use upstream (if not in Debian) or the Debian repo.

• npm i installs something locally. local things are not available on your PATH. if you want that, use npm i -g - but global installs are an antipattern, and instead, try npx hallmark

Isn't there an "entry point" for npm packages like python (pip(x)) create them? npx is the npm-shell/-interpreter like python3?

from cli.

I understand the way Debian wants to do things; in practice, it doesn't work out very well. Software should only be installed from distribution mechanisms endorsed by the software's maintainers. Virtually no upstreams in the JS ecosystem will recommend, support, or endorse installing from anything but the npm registry.

If you're using github, you're getting much less security than using the npm registry.

npx $package will install the package in a temp dir, and then invoke its binary if it contains one.

from cli.

First problem is that this command did create a new folder (node_modules) and two files (package-lock.json and package.json) direct in my current working folder. This is behavior I do not expect from a package manager. From my users perspective this is a bug

Based on this it seems this is not a bug, but a general issue w/ your expectations of npm versus reality. npm install in an empty directory will create a manifest and lockfile by default. This is the package.json and package-lock.json. You told it to install that package in the local folder, not globally.

As Jordan suggested, npx may be what you need, or you can install the package globally with npm i -g You are highly encouraged to install the package from the npm registry too and not from a git repo.

Closing this as it does not seem there's a bug. If you would like more general discussion around npm and what it does you can check out https://github.com/npm/feedback/discussions

from cli.

The issue is less about the behavior of npm but about its verbosity.
If you modify somehow the current working dir you should warn the users about it. Not every user expect it.

About Microsoft GitHub / upstream install vs. 3rd party repository install: Do you have evidence about it? Just for learning.

from cli.