[RRFC] Deprecating the npx package from the public registry

[ruyadorno]

⚠️ [DISCLAIMER]: npx as a command now lives within the npm cli, it's not going anywhere and we love it - this discussion is only about deprecating the npx package published in the npm registry.

---

We know we want to deprecate the npx package but what exactly does that mean?

• Simply putting up a deprecation notice for the package in the registry?
• Cut a new major version and point it to install npm instead?
• Some other/diff ideas?

[wesleytodd]

I have heard this a few times, but I am pretty strongly against this idea. It is now deeply ingrained in many folks workflows. Wouldn't it be better to just re-purpose the package on top of whatever new approach you prefer to maintain?

[ruyadorno]

@wesleytodd awesome to hear from you! Yeah, I was expecting that there could be some concerns so I think it's a great point to talk about during the OpenRFC call and make sure we are aware of all the implications! 😊

[thescientist13]

We know we want to deprecate the npx package but what exactly does that mean?

Is there any additional context available here or discussion to follow on this topic? In particular understanding the motivation to deprecate it and what the alternative being proposed is (if any)?

I (personally) think npx was a great addition to the ecosystem and favor it as much as possible instead of having to install global packages for something as trivial as say firing up a quick webserver "inline", e.g.

$ npx http-server

[ruyadorno]

hi @thescientist13 thanks for the comment, it just made me realize some people might not be aware of all the context so I added a big disclaimer there on top:

⚠️ [DISCLAIMER]: npx as a command now lives within the npm cli, it's not going anywhere and we love it - this discussion is only about deprecating the npx package published in the npm registry.

[thescientist13]

AH, phew! 😅

Appreciate the clarification there. 👍

[ljharb]

How many people actually use/install the npx package from the registry, since npx comes with modern versions of npm?

[darcyclarke]

@ljharb ~56k weekly downloads

[ljharb]

@darcyclarke do you have any internal metrics that tell you if those are being installed by an npm that already ships with npx? ie, can you filter out the installs that arguably aren't needed?

[remyrylan]

Just to put in perspective: 56k weekly downloads are about 2.75% of the 2 million+ weekly downloads the npm package gets. My vote (not worth much, I know) is to rip the bandage off and officially mark the npx package as deprecated once npm v7 is released. The deprecation message should be clear and state the importance of upgrading.

Maybe something like:

"npx is now integrated directly into npm v7+. There are numerous unsupported issues in this package that are fixed in the latest npm version."

[wesleytodd]

These are long tail migrations. What are the benefits of adding a deprecation warning (which will be disruptive)? Seems to me there should be some big benefits to justify it until npm 7 has seen significant adoption.

So share some data, of the projects I am able to reliably query at work, 12% of active projects are still not on npm@6.

EDIT: and to be clear, I am not saying this would disrupt those projects, just that saying "it is in npm@7" doesn't solve things for everyone.

[ljharb]

Another point is that if you don't want to force your consumers to have npm 7, or even an npm with npx, you'd want to add npx as a dependency.