Closed david-gettins closed 2 years ago
david-gettins
commented
2 years ago Further to my concerns, the SSH URL does not work during CI. I am not happy adding any SSH related steps to my CI as it could present a security vulnerability on our company's self-hosted build agents.
david-gettins
commented
2 years ago For now I have forked this repo into my company's org and set up a package push to our private npm registry on GitHub. For anyone else wanting to do this it is quite simple but does not resolve the issue of knowing whether the latest commit is stable, only the library maintainers and contributors can say that.
elliottkember
commented
2 years ago @david-gettins Hi David! Thank you for your questions. We're working on publishing this package and pointing to it directly from the original NPM alias right now.
Those instructions were for our internal use and were written before we had agreed to take on ownership of the package - sorry for the confusion.
david-gettins
commented
2 years ago Brilliant thank you for your response.
I see your instructions for installation requires me to point to a commit hash from this repository. I find this a little worrying, as a consumer of this package I would like the security of stable releases. Unfortunately pointing to a commit hash provides me with no confidence as I could be pointing to a broken commit.
Please can you set up a release to npm or similar so I can feel safe that the released version is stable in your eyes?