Stop developing corepack (from a happy user)

[trivikr]

Is your feature request related to a problem? Please describe.

I'm a very happy corepack+yarn user. I use it in all the yarn modern projects I'm primary author of, like https://github.com/aws/aws-sdk-js-codemod, and have got consensus to use corepack in open source packages I maintain with other folks, like https://github.com/facebook/jscodeshift. I also closely monitor/participate in requests to enable corepack in other projects, like GitHub action to setup node in actions/setup-node#531

There has been asks to make corepack stable since May 2022 #104
The PR to enable yarn/pnpm corepack binaries by default in nodejs/node#51886, has moved from most approvals to most declines. There's an open PR to remove corepack too at nodejs/node#51981

Alternative package managers which corepack helps choose version of have shown signs that they're taking different directions

• npm wants to remove itself from being managed by corepack fix: remove npm #418
• npm removal from corepack has multiple approvals, including from Node.js TSC members fix: remove npm #418
• pnpm introduced a configuration to manage itself in https://github.com/pnpm/pnpm/releases/tag/v9.7.0

These signs indicate that it may not be worth developing corepack, irrespective of whether it's shipped in Node.js or through npm.

Describe the solution you'd like

Stop any further development of corepack. It was primarily developed by maintainers of yarn, and they can introduce a configuration to manage yarn versions as suggested in yarnpkg/berry#6443 (comment)

Describe alternatives you've considered

• Recommend installing corepack from npm.
  • A twitter poll created by developers might not install it from npm https://twitter.com/styfle/status/1772353395321454916
• Implement devEngines proposal in corepack feat: add proposal for binary management package-maintenance#594

Additional context

Reference yarnpkg/berry#6443 (comment)

[arcanis]

npm wants to remove itself from being managed by corepack #418

This PR was opened by a former member of the npm team, and a founder of a separate for-profit startup currently building a package manager. That doesn't signal anything from the npm folks, who refused to involve themselves in the discussion.

pnpm introduced a configuration to manage itself in https://github.com/pnpm/pnpm/releases/tag/v9.7.0

The mitigation plans we have for Yarn (and I suspect those pnpm built) are motivated mostly by the lack of clarity we have regarding the status of Corepack. The discussion has in my opinion been corrupted, and in the absence of moderation by the TSC it makes sense we would move to protect our users, even if the outcome we hope for is different.

In that way, that we're building safeguards should more be seen as a statement against the Node.js governance that brought us here than the value of the Corepack project itself - it should still be merged, there's still value in it that we won't be able to achieve with Yarn and pnpm alone. But if Node.js drops the ball, at least we won't be the ones to hold the bag.

[trivikr]

This PR was opened by a former member of the npm team, and a founder of a separate for-profit startup currently building a package manager. That doesn't signal anything from the npm folks, which refused to involve themselves in the discussion.

Thanks for the clarification. I updated my comment to be accurate as follows

npm removal from corepack has multiple approvals, including from Node.js TSC members

[aduh95]

I agree that if Corepack is not going to be enabled by default with Node.js distribution, it only makes sense to put it in maintenance mode. If someone would want to fork the project and inherit the npm package, that would certainly be fine with me, but we would still need to keep this repo in maintenance mode for a while before we can actually remove Corepack from Node.js distribution.
Before this happens, there are discussions in the package maintenance group for providing alternatives to Corepack – and some solution for Node.js version management which is not (and probably cannot be) cover by Corepack. Moving Corepack to maintenance mode without alternatives achieves nothing but hurts its users, so IMO out best course of action for now is to keep the package-maintenance discussion going and build the alternatives.

[trivikr]

Socket Security wrote a blog post summarizing decision from Node.js PMWG (Package Maintenance Working Group)

https://socket.dev/blog/node-js-takes-steps-towards-removing-corepack

[aduh95]

Well, it's summarizing the discussion, it's not very correct to call that a decision at this point. The thing is, it's clear that a plan to phase out Corepack is way more likely to get consensus than any other plan, so IMO that's where we're heading. You opening this issue only confirms this opinion.
But anyways, it's too soon to move Corepack to maintenance mode now, we (Corepack users, and the broader ecosystem) can still benefit from new features (e.g. if Yarn starts providing signatures for its releases, it would be beneficial to include them in Corepack – and Corepack pushing Yarn into signing releases would be beneficial for the ecosystem whether Corepack keeps being a thing long term or not).

[trivikr]

it's too soon to move Corepack to maintenance mode now, we (Corepack users, and the broader ecosystem) can still benefit from new features

That's good to know, and thank you for sharing the status. This issue can be closed.

The maintainers can either open a new issue, or use other communication mediums like README, npm deprecation and/or Node.js warning when (and if) corepack is moved to maintenance mode in future.