Is a update for the npm package a possibility?


first let me say sorry if this issue was answered lately - while I’m a regular Elm user I’m not really following the community here or elsewhere on a regular basis.

In the last couple of months the npm packages has seen really quite a few bit/security-rot.
I usually install elm and elm-format via npm install --save-dev and our CI has the usual dependency scanners ready … which means that I have to dismiss quite a few critical or high alerts in the reports and honestly: it really rubs me the wrong way (it looks pathetic and it shows in the audits).

Sure I could build me a docker-image with the binaries preinstalled and circumvent this but that departs somewhat between our usual dev- and build-setup and this would be a last resort for me.

How are others here coping with this and is there any chance that someone with the needed access-rights would go and do some maintenance on the package?

Fun thing is that npm audit wants to revert to 0.19.0 as this has fewer of the broken/insecure package-dependencies :sweat:


Last year, me and @supermario worked on updating it, initially with buy-in from Evan. But in the end, he didn’t want to do it. Here’s the pull request: Free the npm package from third party dependencies by lydell · Pull Request #2287 · elm/compiler · GitHub

However, that work still resulted in the @lydell/elm npm package, which you can install right now:

npm install @lydell/elm

There’s also the elm-tooling CLI which is yet an alternative.


The last time I looked (~6 months ago), I think only elm-review actually needs node and everything else (if you substitute elm-test-rs for elm-test) could hypothetically bypass using node/npm as fancy downloader for executables, and obviate the need to keep up with the dumpster fire in the future.

There’s also elm-watch which uses Node

Right now, elm-test-rs needs either node or deno to actually run the tests.

But the scary installation with npm could be avoided.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.