Open splix opened 2 years ago
@bcoe do you think the approach I suggested with packageAllowlist
is acceptable? I'm willing to make a PR to fix this but want to make sure it aligns with the project direction, and I guess you're the maintainer of the project now. What do you think?
Hello @splix, apologies for the slow reply.
This library is not currently used by our team, and my contributions have been isolated to dependency updates in the past.
Your recommendation for handling unpublished packages seems reasonable, but I'm not sure how timely the review will be on this repository. It may be worth considering forking the project, along with sending us a patch.
We have 2 independent projects one depend on another. Say
ProjectApp
which usesProjetLib
. During the development we publish each commit to theProjectLib
as a tarbal accessible by an URL. And we want to use that development/snapshot version inProjectApp
. Which works fine by itself, we are able to reference it by URL.But the problem that
js-green-license
doesn't work in that situation because it tries to downloadpackage.json
ofProjectLib
from NPM, which doesn't exist:I see a couple of ways how
js-green-license
can deal with it, and I can submit a PR with one of the solution, but I'd like to hearjs-green-license
authors opinion on this.I think that the most straightforward solution would be using
packageAllowlist
and ignoring unpublished dependencies which are in this list. I mean just skipVersionNotFoundError
for such packages, but check them if they exist. Is that ok?