Change the destination of downloaded tarballs

[danieldietrich]

Currently we have a two-steps dependency installation process:

1. Download assets / tarballs from a private repository using the preinstall hook (currently only GitHub is supported)
2. Install tarball using a file:...tgz dependency

We download the tarballs to a local directory <project-root>/.npm-private, which has several caveats:

• [trn] does not seem to work when transitive dependencies download private dependencies
• [dup] each project downloads duplicate versions of private dependencies to their local .npm-private folder
• [ver] no support for npm version schemes like ^1.2.3

[trn] and [dup] could be solved by downloading & referencing tarball dependencies using a central location ~/.npm-private instead of <project-root>/.npm-private.

[ver] could be solved by breaking up multi repos to separate npm packages and using the standard npm git support:

We use the local user's .gitconfig in order to tell git to use https:// with credentials instead of ssh:// (the pass may be a GitHub access token).

git config --global url."https://user:pass@github.com".insteadOf ssh://git@github.com

That way we can use ssh:// urls in our package.json without exposing user credentials (see Git URLs as Dependencies):

{
    "dependencies": {
        "my-project": "git+ssh://git@github.com:my-org/my-project#semver:^5.0"
    }
}

Another solution: We skip the .gitconfig part and use GitHub with SSH instead.

[danieldietrich]

I've experimented a bit... In order to use git tags as dependencies

• the root folder needs to contain the package.json (=> repos must be split)
• the tag needs to contain .js files (=> the dist folder needs to be checked in)

I think I will teak our existing npm-private script a bit instead (on monday)...