jsr-io / jsr

The open-source package registry for modern JavaScript and TypeScript

https://jsr.io

MIT License

2.15k stars 97 forks source link

`github:` dependencies are not supported (`uWebSockets.js`) #102

Open pi0 opened 4 months ago

pi0 commented 4 months ago

Hi. Today I noticed an issue when trying to publish an existing npm package that has optional peer dependency on uWebSockets.js which is officially only published on Github.

Reproduction: https://github.com/unjs/crossws/pull/19
Relavant issue: https://github.com/uNetworking/uWebSockets.js/issues/1026

package.json:

{
  "peerDependencies": {
    "uWebSockets.js": "*"
  },
  "peerDependenciesMeta": {
    "uWebSockets.js": {
      "optional": true
    }
  }
}

deno.json: (I guess it is not picked btw)

{
  "imports": {
    "uWebSockets.js": "https://esm.sh/gh/uNetworking/uWebSockets.js"
  }
}

Deno publish (1.41.1)

deno publish --dry-run
error: npm package 'uWebSockets.js' does not exist.

lucacasonato commented 4 months ago

We will likely not support depending on github: NPM packages - they are too unstable and not well lockable. It breaks our immutability model in some ways.

pi0 commented 4 months ago

I see. Trying to find a middle ground here. https://github.com/uNetworking/uWebSockets.js/issues/1026#issuecomment-1973260549 the mentioned library also aims not to opt into any registry.

Besides this particular case, i guess it might happen in the future. For the sake of jsr usage increase, would you consider gh releases with (content) digest? (gh:repo/name#ref+hash)

Or another alternative: Perhaps just skip error when optional peer dependency is specified? It seems deno is not picking on that meta right now.

Or another alternative: Support import maps in this case as escape hatch?

lucacasonato commented 4 months ago

I suggest you either vendor the dependency into your package, or publish it to JSR yourself for the time being :)

pi0 commented 4 months ago

Yeah probably would do 👍 (mainly waiting for blessing of the author)

How shall we followup these two:

Possibility of immutable github deps with inline content hash
Possibility of deno/jsr to respect/ignore optional peer deps

My understanding is thst these two would be still viable to discuss even if could workaround uwsjs.

BTW feel free to simply say or close this issue if too much. I understand you might have more priorities than this for jsr and don’t want to put extra pressure.

lucacasonato commented 4 months ago

So feel free to open another issue for 2 - it seems useful to figure this out, but unless there is another compelling reason for 1, I'm not inclined to explore that right now.

zephraph commented 1 month ago

301 exists for resolving the peer deps issue.