Ability to use dependency manager and pin JS files form node_modules

[thisismydesign]

I know importmap-rails is not meant to be used with package.json but hear me out..

I'm all in favor of ditching the JS build step which complicates things a lot. But I would also like to have proper dependency management for JS. I don't think these exclude each other. I think the principles of importmaps work just fine with package.json, the example in the readme says as much: import React from "./node_modules/react"

Those of us who are ok with having yarn or npm installed could have the best of both worlds:

• get all the benefits of a proper dependency manager like integrity checks and proper versioning
• bunch of tooling relies on package.json, like auto-creating dependency update PRs
• no need to commit dependencies (for security Serving JS files from /vendor is insecure #275 and bad practice)
• no need to use CDN (security Security: verify integrity of pinned resources? #122 and wanting a self-contained app)
• familiarity, step-by-step migration

All my issues would be solved by: pin 'tom-select', to: 'node_modules/tom-select/dist/esm/tom-select.complete.js'

Is this possible? Is there a reason why this can't be an option?

[dhh]

We have jsbundling-rails for folks who want to have all of that. You're not getting around a build step if you have dynamic dependencies that aren't committed anyway. I think what you want is just jsbundling-rails.

[thisismydesign]

@dhh Many dependencies already include a bundled version. I don't need a build step, I can just reference the bundled file from node_modules.

Like in the tom-select example I gave above.

[nogweii]

I'd like to see this supported as I don't want to depend on the good graces of jspm.io working. That's a dependency I'm not a fan of. Being able to point to a local file would allow me to retrieve the file in whatever manner I'm comfortable with. ./bin/importmap pin would copy (move?) the local file into vendor/javascript. "Downloading" a local file, as it were.

Then people could use npm/yarn if they really want to manage dependencies that way, or any other tool could slot in.

[dhh]

Pin already downloads the file by default. There's no runtime dependency.

[thisismydesign]

Yes but that isn't a safe or convenient way to manage dependencies. A dependency manager is.

Local files are already supported, so allowing an optional custom path for them should be straightforward, and it would solve these issues.

[dhh]

If you want a full-blown dependency manager, you should use npm with esbuild. We already have a great integration for that with jsbundling-rails. It's not what this setup is about.