github: is a valid dependency format for npm

[ghost]

​

[guybedford]

Thanks for posting. The https://github.com case is filtered out in the first part of the conditional.

I did not know github:owner/repo was a valid dependency format on npm? It is not listed in https://docs.npmjs.com/files/package.json#dependencies.

[guybedford]

Thanks, you're completely right, we should support this.

[letmaik]

The issue with this is that it requires to actually build the package first, otherwise some packages may just end up broken. Packages published on npm are already built (ignoring postinstall for now) but using a direct git dependency means it potentially needs the build step (or install or prepublish or whatever npm phase that corresponds to). I wouldn't worry too much about security when running scripts since the user opts-in to that by using a "source" dependency.

In my case, the build step is just transpilation (which however is the difference between src/ vs transpiled/ folders and having the correct path in "main").

[guybedford]

@neothemachine the build operations are a separate issue to this one I believe, which has actually been fixed. Happy to continue that discussion though.