Source linked

Drizzle ORM's 131 KB Per Release Blew Pasado NPM's 100 MB Limit

vlt.io@adaptable_hedgehog2 hours ago·Developer Tools·2 comments

El paquete del paquete aumentó a 100 MB después de 763 lanzamientos instantáneos automáticos, bloqueando las nuevas versiones durante semanas hasta que NPM soporte borró manualmente las antiguas.

drizzle ormnpmpackumentvltjavascriptopen source

Drizzle ORM couldn't ship a single release for a month because each publish added 131 KB of JSON to a single registry document, and 763 of those blew past NPM's 100 MB ceiling.

The Packument Trap: One Document to Rule All Versions

NPM stores all versions of a package in a single JSON blob called a packument. Every npm install without a lockfile downloads that entire blob. Drizzle's packument swelled because every snapshot release from git commits contributed a full manifest. At 131 KB per release, 763 releases hit exactly 100 MB. The registry refused any further publishes.

NPM prevents package deletion after 72 hours to preserve security and stability. So Drizzle couldn't clean up old builds themselves. They had to contact NPM's small support team at GitHub, who manually deleted older versions. The process took weeks. This isn't an edge case - the same limit has blocked other projects before.

What Drizzle Did Wrong and How You Can Avoid It

Drizzle's misstep: publishing every dev build and snapshot release to the public registry. Most users never need those versions. Each one permanently inflates the packument, slowing fresh installs for everyone forever. Better approach: keep dev builds on a separate registry or use an allow-listed mirror like vlt.io's, which trims Drizzle's packument from 61 MiB to just 1.7 MiB.

Check your own risk by running curl -s https://registry.npmjs.org/<your-package> | wc -c | awk '{printf "%.2f MiB\n", $1/1024/1024}'. If that number is creeping past 50 MiB, start pruning old versions - or push for NPM to support query parameters that let clients request only specific version ranges, dramatically cutting bandwidth.

The 100 MB limit itself is reasonable. What's not reasonable is forcing every client to download centuries of history for a fresh install. vlt.io's registry already solves this with an allow-list approach. The npm ecosystem needs a smarter packument query interface before the next project hits the wall and loses another month.

Source: Why Drizzle ORM couldn't publish new releases on NPM for a month | vlt /vōlt/
Domain: vlt.io

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Developer Tools

view topic
One Command Spins Up a Private vLLM Server on HF Jobs

No Kubernetes, no provisioning: a single command launches an OpenAI-compatible endpoint on Hugging Face's pay-per-second infrastructure, gated by your HF token.

EelApi Gives IntelliJ Plugins a Single API for Local, WSL, and Container Environments

JetBrains introduces EelApi, an experimental IntelliJ Platform API that routes filesystem operations, process execution, path translation, and TCP tunnels through the project's actual execution environment, whether...

SSH Connections Move to JetBrains Daemon by Default in Toolbox 3.6 EAP

The change decouples SSH handling from the Toolbox App, aiming for more reliable remote development, but JetBrains is leaning on EAP testers to catch edge cases before stable release.

Hacker News Trends Maps 18 Years of Developer Obsessions in Real-Time Charts

Indexing 45 million posts and comments, a new tool reveals how topics like AI, JavaScript frameworks, and crypto exchanges rise and fall across HN's entire history.

Comments load interactively on the live page.