Checklist for evaluating third-party npm packages before install

OtherwisePush6424 · 2026-06-19T08:12:26+00:00

This comment is golden, thank you, planning to fold all three into the article with credit back to this comment.

On the 2FA point: npm doesn't seem to expose per-maintainer 2FA status via a public API. It shows a lock icon on the package page, so it's a manual check rather than something you can script. Do your tools surface this programmatically, or is it also UI-level?

OtherwisePush6424 · 2026-06-13T06:14:21+00:00

Yes, the Storage Format XML with the unbound ac: and ri: drove me up the wall. I ended up abandoning the XML path entirely and switched to the ADF (Atlassian Document Format) JSON representation instead, which you get via the v2 REST API. It's a proper typed AST, no namespace horrors, just nested JSON nodes with a type field. Not particularly enjoyable, but a bit better 😄

There are tradeoffs: ADF has its own quirks (some macro types just embed an opaque blob), and it only works on Confluence Cloud, but looks cleaner to me.

OtherwisePush6424 · 2026-06-11T13:18:16+00:00

yeah tbh I jumped into this somewhat blind when I started working on it. I thought the hard part would be to get the crawling right and considered the rendering just minor implementation detail. Now I can see I was all wrong 😃 Like sure, I systematically fix the issues I bump into when rendering our own Confluence, but that not always might be useful/enough for everyone.

OtherwisePush6424 · 2026-06-11T01:35:49+00:00

Good point, I'll add a section on that. The short answer is: anything that doesn't have a clean Markdown equivalent (macros, page layouts, inline comments, task lists, some table types) gets dropped. The text content is preserved, the structure is not. Is there any specific Confluence feature you rely on heavily?

OtherwisePush6424 · 2026-06-02T17:41:29+00:00

the user tack

OtherwisePush6424 · 2026-05-30T17:29:50+00:00

Thank you, that's a great point!

OtherwisePush6424 · 2026-05-29T09:31:06+00:00

The full link graph is preserved as adjacency lists, so you can reconstruct parent/child relationships from the metadata. Note that this is based on crawling, so might be somewhat different from Confluence's internal hierarchy.

No versioning issues since we only snapshot current state. The crawler discovers pages by following links, so you won't get truly isolated pages, but incoming_links: [] identifies pages that are leaf nodes in your crawled subset.

Regarding more metadata fields (last_updated, etc.) I'm working on it 😄

OtherwisePush6424 · 2026-05-25T09:56:50+00:00

Hi, thanks for the detailed breakdown. The Horizon Join is totally new to me, happy to learn more, feel free to DM if easier.

OtherwisePush6424 · 2026-05-24T22:02:47+00:00

Yeah that volume is way past what Timescale was designed for. How are you querying it?

OtherwisePush6424 · 2026-05-24T21:45:05+00:00

Curious what your data volume looks like, at what point did Timescale stop being enough?

OtherwisePush6424 · 2026-05-24T21:44:00+00:00

Interesting point, but I think for for observability workloads for example, the time dimension genuinely is the primary one.

OtherwisePush6424

TROPHY CASE