Hi Dave,
we never rely on the availability of third party sites,
especially not commercial ones.
npm is commercial and pip is supported by a noncommercial foundation, but npm is still open source.
If you are concerned about relying on a 3rd party commercial site, perhaps we could use npm to install and manage dependencies but also check them in or set up pgadmin's own npm registry.
More importantly, we a) want to know
we have stable code in our tree (we don't want users running with
random versions that we may not have tested yet)
npm allows version locking, the same way we handle our python dependencies.
and b) on very rare
occasions we may modify our copies of the code - which is always a
last resort that is documented, and where appropriate, with a patch
sent upstream.
We agree that there might be cases where we need to vendorize assets but that shouldn't dictate our default approach to managing assets.
Tira, Sarah & Geroge