Open splix opened 2 years ago
splix
commented
1 year ago @bcoe do you think the approach I suggested with packageAllowlist is acceptable? I'm willing to make a PR to fix this but want to make sure it aligns with the project direction, and I guess you're the maintainer of the project now. What do you think?
bcoe
commented
10 months ago Hello @splix, apologies for the slow reply.
This library is not currently used by our team, and my contributions have been isolated to dependency updates in the past.
Your recommendation for handling unpublished packages seems reasonable, but I'm not sure how timely the review will be on this repository. It may be worth considering forking the project, along with sending us a patch.
We have 2 independent projects one depend on another. Say
ProjectAppwhich usesProjetLib. During the development we publish each commit to theProjectLibas a tarbal accessible by an URL. And we want to use that development/snapshot version inProjectApp. Which works fine by itself, we are able to reference it by URL.But the problem that
js-green-licensedoesn't work in that situation because it tries to downloadpackage.jsonofProjectLibfrom NPM, which doesn't exist:I see a couple of ways how
js-green-licensecan deal with it, and I can submit a PR with one of the solution, but I'd like to hearjs-green-licenseauthors opinion on this.I think that the most straightforward solution would be using
packageAllowlistand ignoring unpublished dependencies which are in this list. I mean just skipVersionNotFoundErrorfor such packages, but check them if they exist. Is that ok?