How can/will django-commons handle related npm packages?

[sergei-maertens]

Hi everyone - this question is me doing my due diligence before I (try to) transfer django-cookie-consent into django-commons.

There is some Javascript bundled with django-cookie-consent through django staticfiles, but DX-wise that creates some friction when trying to integrate this in common frontend stacks with bundlers (Vite,Webpack) and/or Typescript. For this reason, the JS and type declaration are also published on NPM and the version number of that package matches the PyPI package version number. However, I currently have to publish this package under my personal NPM account because there's no jazzband account that I can publish it with and using Github package registry is not an option either because I can't make the package public.

I see django-commons as a solution to this problem, in two possible ways (that are not necessarily mutually exclusive):

• publish the package to npm under the appropriate namespace, e.g. @django-commons/django-cookie-consent
• publish it on Github NPM package registry, and because maintainers have the admin permissions on the repo, they can mark the package as public too

I'm curious what the rest of the community thinks about this and whether there's a preferred approach. The discussion could also set a precedent for future other package ecosystems (e.g. possible Rust/cargo crates that are exposed via Python bindings, to name one).

[thibaudcolas]

👋 my two cents as someone who has more packages on npm than PyPI: go with npm rather than GitHub

• It’s pretty simple to set up an organization in npm, takes a few minutes, and it’s free for public packages.
• I’ve never seen anyone publish to the GitHub npm package registry for packages intended for public usage. I’m sure it can be done but I don’t think it’s the intention of that registry, and will make installation harder.

npm’s organizations have a concept of teams. Packages are always associated with a specific team rather than the whole organization, so it would be possible to have a "django-cookie-consent" team in the "Django Commons" organization, with access to that package.

publish the package to npm under the appropriate namespace

Publishing under a scope isn’t a requirement when using organizations. For example the wagtail organization on npm has two @wagtail/ packages, and three with no scope. Scopes are useful to group related packages, and to convey ownership. I’m not sure it’s a need here so might not be the right thing to do. If the package was to change ownership later, it wouldn’t be possible to remove the scope from the package name – the package would have to be republished (losing the release and usage history and requiring users to manually switch).

[sergei-maertens]

That's very insightful and 100%I agree with your reasoning!

[tim-schilling]

Thank you for raising this @sergei-maertens! I think this is something Django Commons should be involved in. I'm not sure when though.

I'm a little worried about going through the leg work to figure out how to properly maintain organizations and teams, defining our processes and playbooks to only have one package use it. Not saying it would only apply to one package ever, but it's hard to predict the future.

[tim-schilling]

we could do that later based on (unofficial) processes that have developed with django-cookie-consent

I'm against publishing something under django-commons until we have an understanding of your follow-up questions to Sergei. It feels unwise to me to start doing something without having an understanding of where the boundary of responsibility is.

[sergei-maertens]

I plan to follow up on this discussion over the weekend!

[sergei-maertens]

Having read through everything, some notes/remarks on my part and possible suggestions moving forward.

@thibaudcolas pointed at the teams and organizations structure on npm - I'm already using that as part of my $dayjob and it looks like the right approach for an organization like django-commons:

• the organization works similar to the github organization, people can get added with an invite
• npmjs.com is definitely preferred as it provides the best developer experience for users of the package, publishing on github package registry was a last resort on my part in the jazzband org which also wasn't succesfull.
• publishing under the @django-commons scope is definitely not desired, since these packages cannot be transferred. I did not realize you can publish a package name without scope even when associated with an organization, so that sounds like best of both worlds.
• automatic publishing - we should use granular access tokens for this and publish through github actions. revoking a user's access to a package also revokes their tokens access, so the admin/maintainer of the github repository should be able to configure this secret.

Given the "exotic" nature of having to publish on NPM as well and looking at the administration aspect for django-commons itself, it would probably be wise to either:

• automate organization assignment and teams - I'd expect this can be done through terraform as well like how you manage the github org, but it's probably overkill at this stage. I have no terraform experience myself so I can't assist here (yet).
• only create the teams and invite members as needed - this process could be structured via a github issue template on the membership repository. It requires some more manual actions and in particular if a package moves some other place again or maintainers leave, there should be a proper off-boarding process documented and followed (remove maintainer from team and/or organization), + procedure to transfer the npm package itself again.

I'm against publishing something under django-commons until we have an understanding of your follow-up questions to Sergei.

Noted and of course respected - I too would like to have a clear picture of the process before I even initiate the transfer of django-cookie-consent, as I don't want to risk "moving the problem" instead of resolving it.

Summary

In my opinion, the following actions should be considered to move this forward (assuming django-commons want to pull npm packages into scope!):

1. The owners of the Github organization django-commons should become owners/admins of the npmjs.com "django-commons" organization too.
   • Probably they should align MFA requirements too - I'm not sure if the github org has such a requirement or not
2. Add a github issue template to request the creation of a team on npm
   • probably good to stick to the existing template, so this would mean [project-name]-admins. Triaging and committing still happens on Github.
   • the above also implies that the JS code and toolchain must live in the same repository as the PyPI package (monorepo setup) - this might be controversial?
   • when granted, the user is added as a member (other options are admin and owner) to the django-commons organization
   • when granted, the team is created and the package [project-name] is added + the team is assigned "Read and write" permissions
   • when granted, the user is added to the package-specific team as well (doesn't look like there are extra options to configure here)
   • the above steps will need to be performed by one of the django-commons owners, which creates some overhead. if/when this is too much, I'm sure there's a way to automate this
3. The maintainer(s) of the package configure their CI pipeline (github actions) to publish the build to NPM
   • one of the team members (on NPM) must create a (granular) access token and add it to the github actions secrets in the repository
   • the release process is as usual - a git tag kicks off the entire process, both the NPM and PyPI package (I haven't double checked that this is how django-commons operates too)

[tim-schilling]

Thank you for this fantastic write-up @sergei-maertens! This is extremely helpful. @Stormheg with this understanding, I'm more amenable to having something unofficial since we have a general plan of how to go about implementing it. If the rest of the @django-commons/admins are onboard with this direction (Django Commons having support for NPM packages), then I think we can move forward on both fronts: solve the immediate problem for @sergei-maertens and start building out the long-term solution.

[tim-schilling]

@sergei-maertens this came up in our @django-commons/admins meeting. We settled on creating an NPM organization to host packages. We will expect any projects to publish unscoped packages so that they can easily be transferred out. At this point, we would only serve as a backstop for providing another set of hands to control the NPM packages in case you win the lottery.

Currently, we're not committing to building any packaging or release mechanisms. There's a cost to that and it's unclear how much of a benefit there would be.

Let us know what you think when you have time!

[sergei-maertens]

I checked with another organization on how the package "transfer" works and it's a bit clunky 😬

As owner of the package

The CLI is probably the easiest way to do this

npm owner add <django-commons-admin-username> <package-name>
npm owner rm <own-username> <package-name>

or do this in the UI via the Settings > add maintainer.

It's probably best to remove yourself as owner only after all the rest has gone right.

As django-commons admin

You need to be an owner/maintainer of the package to do this

1. Navigate to your account settings
2. Navigate to Organizations > django-commons
3. Navigate to Teams (tab) and the appropriate team
4. Fill out the package name in the text box and click "+ Add existing package"
5. Confirm the permissions are read + write

Team members should now be able to publish (new versions of) this package.