Comments (3)
@iarna and I are in the process of figuring out a way forward for git dependencies. This whole thing's a bit tricky, but the crux of it is that, unlike with registry deps, we can't use integrity-based verification for git deps: the integrity string is generated from the packed tarball after a git dependency has been built, and there's literally no guarantee that two different builds off the same git SHA would result in the same integrity string.
The thing we actually need is a better way to detect whether git deps are acceptably up to date, and that mostly has to do with figuring out the right layers to put the right markers into. @iarna can probably go into more detail than I can, since I think she went off to try to work on this last we spoke about it.
The tl;dr is:
package.json
hasfoo/bar#my-branch
package-lock.json
hasgit://github.com/foo/bar#deadbeef
(resolved SHA)- We need a good way to look at
node_modules
(andpackage-lock.json
) and go "ah,bar
was installed usingfoo/bar#my-branch
, and resolved to...#deadbeef
, and that's indeed what's installed, so I don't need to update (package-lock.json
ornode_modules/bar
).
It sounds easier than it is, I think especially so because npm has to make sure both the node_modules/
version and the package-lock.json
version actually correspond, and hopefully do so without hitting the network.
from pacote.
While I do understand some problems are harder than they seem, generating and tracking proper cache for git dependencies is not the main issue here. A cache miss should not result in packages being removed, it should result in packages being fetched 100% of the time.
This is fundamentally broken in a way that makes it extremely painful to work with git dependencies. Why is such behavior preferred rather than making sure every dependency is installed correctly, even if it takes longer?
from pacote.
@saboya the cache miss isn't what's causing the removal: it's a bug in the way npm itself recognizes and handles git dependencies.
from pacote.
Related Issues (20)
- Cannot require pacote
- Git semver does not resolve versions with prerelease or build info
- can no longer get manifest for custom tarball URL HOT 1
- jsonFromStream doesn't handle symlinks HOT 2
- connections opened but never closed HOT 9
- Crashes if run without cache option HOT 4
- Build failed ERR_STREAM_WRITE_AFTER_END: node v9.7.1 withExEditorHost v3.0.3 archlinux x86_64 HOT 24
- spurious ENOVERSIONS on git dependencies HOT 4
- A promise was created in a handler error HOT 24
- `_from` key of publishing package json should not have local file path of `tgz` file
- git: Does pacote respect per-project .npmrc file "git" parameter? HOT 1
- How to make pacote respect .npmrc? HOT 9
- Relation to npm / yarn / etc? HOT 2
- Unable to add local tarballs with sha1 integrity HOT 2
- Transitive dependency ([email protected]) license prevents use of pacote HOT 2
- "err.code.match is not a function" after a failed git clone HOT 10
- pacote should pass on opts.uid/opts.gid when invoking cacache.put
- pacote leaves user-owned files in /usr/lib/node_modules on Linux under sudo
- npm install failing on github repository
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pacote.