Hey, the thing is Wasp is not written in JS, so while we could use NPM, we would be forcing it in a way - at the end it would come down to shipping bash script as part of our npm package and just running that bash script from package.json commands/scripts.
Second thing is, that while Wasp is dependent on node right now, which then serves as an argument to use npm as installation mechanism, we plan to remove dependency on node by dockerizing everything in the future (it is step toward detaching Wasp from specific implementations), so we lose that argument.
That said, we have not completely ditched idea of using NPM as installation mechanism, but we haven't convinced ourselves yet - maybe we should give it more thought though.
What do you think is the benefit of using NPM vs our install script? Why would you trust NPM package more? Both NPM package and our install script are open source and you can see the code, both have equal execution privileges on your machine - why would you trust NPM package more?
Thanks for sharing this!
Reading this, there seem to be a lot of opposing opinions, but it seems to come down to curl being as safe as other methods, with the main problem being trusting the server from where the script is downloaded.
In our case, server is github so that is allright, but script is on master, so that is tricky because we might update it at any moment, so you should check it once it is downloaded. That is a concern for sure, and there are ways to remove that concern.
One thing that goes to our benefit though is that we are not requiring `sudo`.
Thanks for pointing all this out, we will certainly be looking into better ways to install Wasp in the future!
