Hm, so git is part of the app.

Since it needs to be available on the Internet, doesn't that create a security risk?

Imagine secrets that got accidentally committed.

With that decentralised nature, how would an upgrade path look like?
What if it requires migrations of any kind?

@RyunoKi Yeah, folks should not commit secrets to git. This applies equally to every publicly-accessible Git repository ever (which, at last count, I believe was several hundred million) ;)

Upgrades are git pulls with npm install being run automatically as necessary if Node modules are used. Migrations are the responsibility of the apps themselves. Kitten apps can run them for the in-process JSDB database (codeberg.org/small-tech/jsdb) at startup from the main.script (entrypoint).

jsdb

A zero-dependency, transparent, in-memory, streaming write-on-update JavaScript database for the Small Web that persists to a JavaScript transaction log.

^Codeberg.org

Agree.

Any specific reason why npm (vs yarn or pnpm for example)?
Or just to start somewhere?

Alright.

I remember there was an alternative package manager that used a decentralised repository (P2P even) but I can't recall it's name 😖

Sure.

I wouldn't hold my breath for it, though.