Possible to publish packages with removed dependencies.

[rupertlssmith]

If you have a long-lived ~/.elm folder, it may contain dependencies that have been removed or renamed on Github. The most frequent one being Skinney/murmur3.

Given that situation, it is possible to publish a new package that depends on it, even though the dependency is broken.

Example

I just published:

https://package.elm-lang.org/packages/the-sett/salix/4.0.1/

Solution?

If publish builds were always done against a clean temporary folder, like say /tmp/elm-publish-1d76as9d87asd, then at least all dependencies would be downloaded freshly.

Package server side build verification.

[github-actions[bot]]

Thanks for reporting this! To set expectations:

• Issues are reviewed in batches, so it can take some time to get a response.
• Ask questions in a community forum. You will get an answer quicker that way!
• If you experience something similar, open a new issue. We like duplicates.

Finally, please be patient with the core team. They are trying their best with limited resources.