docs: stop instructing readers to npm install the unpublished package#70
Open
maa-xx wants to merge 1 commit into
Open
docs: stop instructing readers to npm install the unpublished package#70maa-xx wants to merge 1 commit into
maa-xx wants to merge 1 commit into
Conversation
The README, SYNC docs, and example CI scripts told readers to run `npm install -g deepl-cli`, but no package exists under that name on the public npm registry. Following those instructions today would either fail or — if a third party publishes under that name first — install untrusted code. Replace the speculative install commands with the actual working path (install from source via `git clone … && npm ci && npm run build && npm link`) and add a security note in the README explaining the situation until an official scoped package is published. No code changes; docs and example shell scripts only.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The README,
docs/SYNC.md, and severalexamples/*.shCI snippets currently tell readers to runnpm install -g deepl-cli, but no package exists under that name on the public npm registry. That has two practical problems:404 Not Foundfrom the registry.deepl-clias the install target, a third party who registers something under or adjacent to that name on the public registry can serve code to anyone who follows the docs. (The README's> CI examples below ... assume a published npm package; source-installed users should substitute the source-install pathcaveat is easy to miss in the middle of a quickstart.)This PR is docs-only. It replaces the speculative
npm install -g deepl-cliinvocations with the source-install path that already works (git clone … && npm ci && npm run build && npm link) so the examples run today, and rewrites the README's From npm section to be explicit about the current state plus a short security note about not running the speculativenpm installagainst the public registry until an official (ideally scoped, e.g.@deepl/cli) package is published.Files changed
README.md— rewrite the From npm (not yet published) section; add a security note.docs/SYNC.md— replacenpm install -g deepl-cliin all three CI YAML snippets (GitHub Actions check, GitHub Actions auto-sync, GitLab CI) with the source install.examples/18-cicd-integration.sh,examples/31-sync-ci.sh— same replacement in the heredoc YAML they print.examples/README.md— point readers at the From Source section instead of the speculative npm command.examples/05-document-translation.sh,examples/12-cost-transparency.sh— these were translating fixture text that happened to readnpm install -g deepl-cli; swapped to neutral wording so the repo contains no copy-pasteable speculative install line.Follow-ups out of scope here
@deepl/cli) and switching the docs back tonpm install -g @deepl/cli.preparescript topackage.jsonsonpm install -g github:DeepLcom/deepl-cliwould Just Work and the CI snippets could collapse to a single line. Left out of this PR to keep it docs-only.Test plan
grep -rn "npm install.*deepl-cli" --include='*.md' --include='*.sh' --include='*.yml' --include='*.yaml'returns only the two intentional mentions inREADME.md(the future-state sentence and the security warning).git clone --depth 1 https://github.com/DeepLcom/deepl-cli.git /tmp/deepl-cli && cd /tmp/deepl-cli && npm ci && npm run build && npm link && deepl --version.docs/SYNC.mdon GitHub and confirm the rewritten sections are readable and the CI YAML still parses.