GithubHelp home page GithubHelp logo

Comments (3)

zkat avatar zkat commented on June 16, 2024 1

@iarna and I are in the process of figuring out a way forward for git dependencies. This whole thing's a bit tricky, but the crux of it is that, unlike with registry deps, we can't use integrity-based verification for git deps: the integrity string is generated from the packed tarball after a git dependency has been built, and there's literally no guarantee that two different builds off the same git SHA would result in the same integrity string.

The thing we actually need is a better way to detect whether git deps are acceptably up to date, and that mostly has to do with figuring out the right layers to put the right markers into. @iarna can probably go into more detail than I can, since I think she went off to try to work on this last we spoke about it.

The tl;dr is:

  • package.json has foo/bar#my-branch
  • package-lock.json has git://github.com/foo/bar#deadbeef (resolved SHA)
  • We need a good way to look at node_modules (and package-lock.json) and go "ah, bar was installed using foo/bar#my-branch, and resolved to ...#deadbeef, and that's indeed what's installed, so I don't need to update (package-lock.json or node_modules/bar).

It sounds easier than it is, I think especially so because npm has to make sure both the node_modules/ version and the package-lock.json version actually correspond, and hopefully do so without hitting the network.

from pacote.

saboya avatar saboya commented on June 16, 2024

While I do understand some problems are harder than they seem, generating and tracking proper cache for git dependencies is not the main issue here. A cache miss should not result in packages being removed, it should result in packages being fetched 100% of the time.

This is fundamentally broken in a way that makes it extremely painful to work with git dependencies. Why is such behavior preferred rather than making sure every dependency is installed correctly, even if it takes longer?

from pacote.

zkat avatar zkat commented on June 16, 2024

@saboya the cache miss isn't what's causing the removal: it's a bug in the way npm itself recognizes and handles git dependencies.

from pacote.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.