Closed thomashoneyman closed 2 years ago
This seems the right path forward, I have a few notes:
subdir
in this equation - i.e. the tuple url, subdir
must be unique. (so far we haven't been using the subdir
at all, which is why we encountered this)Ah! Of course; monorepo support requires duplicate locations, with different subdirectories. That’s a great point. So we would want to enforce uniqueness for the location + subdir.
As far as reusing old locations — you’re right, that’s not an issue. If you’re installing by package name then it doesn’t matter what the location was.
I noticed while working on #444 that a number of packages in the registry point to the same repository.
For example, we uploaded several releases for the
profunctors
library by@joneshf
, but it turns out that this package is just a fork of theprofunctor
library using another name. It doesn't have any releases of its own and is listed in the Bower registry as pointing at thepurescript-profunctor
core library. The result: theprofunctors
library in the registry is just a bunch of copies of theprofunctor
library.Worse, these duplicate libraries we're registering (such as
profunctors
) aren't even installable by Bower, so I'm not sure why they're included in the Bower registry file:Should we allow multiple packages in the registry to point to the same location? For example, should I be able to register a new package,
affy
, which points tohttps://github.com/purescript-contrib/purescript-aff
? Right now we allow this and will package up everyaff
release as anaffy
release.My feeling is that we don't want new packages to be able to target an already-published package location. We definitely don't want a new package to be registered against a package location that is currently in use; possibly, if a location was used and then the package was transferred, it could become eligible for use again, but I think we should deny that as well.
Here is the list of duplicates in the
new-packages.json
andbower-packages.json
files. This list represents package names that are all registered to the same package location.Next Steps
I think we should address this situation by taking these steps:
new-packages.json
andbower-packages.json
files so that there aren't duplicate package locations anymore. The packages I've spot-checked all have a clear canonical package name <-> package location.verify-registry
script check so that we don't allow packages to use package locations that are already being used. Right now we only store the current package location for any given package, so there's no way for us to enforce that the package location you're trying to register was never used before. We'd have to adjust metadata so that it stores a package location per version if we wanted to enforce that.