wraithgar
commented
4 days ago This would be a much larger discussion that would need to start in the rfcs repo https://github.com/npm/rfcs
Closed hyrious closed 4 days ago
wraithgar
commented
4 days ago This would be a much larger discussion that would need to start in the rfcs repo https://github.com/npm/rfcs
Background
Currently the
registryconfig affects the lockfile and fetch cache key, which affects anyone (including the CI, like github actions) working on the same project using the same registry to fetch dependencies. This behavior is correct, but seems beyond the mirror registry's purpose.Here I want to distinguish a thing: There're 2 kinds of registries.
Mirror registry: serve as a copycat of the default registry. The fetch cache should always be the same as the default one.
Note that many of them do not have an audit API endpoint (#4382), we may need another setting or hard-code the audit request. But in fact the audit step in install would timeout when people start using mirrors.
Private registry like npm.pkg.github.com. Private packages usually work under some scope name.
I know there's a config
replace-registry-host=alwayswhich can always respect the registry setting from command line. But that seems a footgun and can't be treat as a default behavior.Proposal
Therefore, I'm proposing a feature to separate the mirror usage out. For example
mirror-registry=<url>orregistry-is-mirror=true. When it is set, the arborist uses this config to fetch dependencies like what it currently does. But it writes out the default registry (https://registry.npmjs.org/) in the package-lock.json'sresolvedfield.Alternative
pnpm and deno, only write out a sha512 integrity in the lockfile. Maybe we can implement a package-lock.json v4 starting from here?