Make node-oracledb installable via standard 'npm' install

[cjbj]

We are working on it...

[theothermattm]

I am not a C coder, but if you need help with anything in particular related to javascript code or documentation, let me know, I can try to contribute. I'll keep it in mind as I try out the module.

[cjbj]

@theothermattm we'd love to understand how you use the DB in your Node.js applications, how you scale (cluster?), deal with LOBs, deal with NLS, deal with DATEs etc. Let us know what you find, either here as Issues or on the OTN forum https://community.oracle.com/community/database/developer-tools/node_js/content Also checkout CONTRIBUTING.md

[theothermattm]

Will do, thank you!

[tbranyen]

I published this module to NPM. If anyone from Oracle would like to take over publishing, I'd be happy to transfer.

Edit: The module name is oracledb, so you'd do: npm install oracledb.

[atiertant]

+1 it whould be great that oracle publish a corporate npm package

[jeffm13]

+1

[sagiegurari]

I did npm install oracledb without knowing its not officially published by oracle corp.
I think that is an issue that it is published by someone else.
how hard is it to add a line "npm publish ." at the end of the official oracle release build process?

[cjbj]

@sagiegurari we need Legal and management sign off. We're working on it.

[tbranyen]

@sagiegurari what issue is that exactly? I publish the exact version'd tag that comes from this Git repository. This is fairly standard practice with NPM and Node. Keep in mind NPM does not sign packages so if you're worried about security, there's a lot more to worry about than who is publishing. If you'd like to pull the official (in your mind) source, you could always add:

"oracledb": "oracle/node-oracledb"

in your package.json to fetch directly from GitHub.

[sagiegurari]

issue is that when you publish to npm, it does not validate that it is exactly what you have in your git.
it just packages what you have locally in your directory that you published.
it is not that i don't appreciate your efforts, but i think it is a security issue and we need to be careful about it.

putting github url in package.json means it is not versioned which is not a good solution as you can't reproduce a build.
you can't go forward and backward in versions as you always take a snapshot of the current git status.
thats only good for testing something new (like this package).

"Legal and management sign off" - Ya i'm familiar with those :)
hopefully this would be handled quickly.

[tbranyen]

I hear ya @sagiegurari, but for now you absolutely can version with that syntax. Simply add the SHA that matches the version you're looking for. For instance the latest version (0.3.1) could be versioned in your package.json with the following:

"oracledb": "oracle/node-oracledb#619e9a8fa6625a2c5ca3e1a2ba10dbdaab5ae900"

I completely agree that it would be better for all parties if Oracle could get approval for publishing rights. Until then I will maintain a clean Git repository and only publish exact tags. Have your security team do an audit of files coming from NPM will go a long way from assuming everything there is published under official sources.

[theothermattm]

Thank you, Tim! And good tip on using the SHA in your package.json to verify things... Did not know that.

[cjbj]

@tbranyen Did you see node-oracledb 0.4.1 is out?

[cjbj]

@theothermattm you can also use a tag in package.json:

"dependencies": {
    "oracledb": "oracle/node-oracledb#v0.4.1"
    },

[tbranyen]

All set!

[cjbj]

@tbranyen are you ready to do a handover to me? See email from a few days ago.

[cjbj]

node-oracledb 0.4.2 is now officially on https://www.npmjs.com/package/oracledb. Thanks to @tbranyen for setting it up and doing a smooth handover.

INSTALL.md has been updated to recommend NPM in the base installation steps.

[sagiegurari]

thanks, this is good news.