search

sheerun / bower-away

A tool for migrating away from Bower (to Yarn)
307 stars 21 forks source link

Edits to package.json no longer work as of March 2022 #35

Open willroberts opened 2 years ago

willroberts commented 2 years ago

GitHub permanently removed support for the unauthenticated Git protocol in March 2022: https://github.blog/2021-09-01-improving-git-protocol-security-github/

bower-away adds dependencies to package.json like so:

"@bower_components/some-component": "git://github.com/some-github-org/some-component.git#1.2.3",

As mentioned in the article, the unauthenticated Git protocol is no longer supported. The URL can be modified to use HTTPS, but anchors and redirection are not supported, meaning we can't specify the dependency version:

% git clone https://github.com/some-github-org/some-component.git#1.2.3
Cloning into 'some-component.git#1.2.3'...
fatal: unable to update url base from redirection:
  asked for: https://github.com/some-github-org/some-component.git#1.2.3/info/refs?service=git-upload-pack
   redirect: https://github.com/some-github-org/some-component

Slightly different issue with git+ssh:

% git clone git+ssh://git@github.com/some-github-org/some-component.git#v1.0.0
Cloning into 'some-component.git#v1.0.0'...
fatal: remote error:
   is not a valid repository name

There doesn't seem to be an easy way to resolve this, so bower-away would need some modifications to continue working.

willroberts commented 2 years ago

I actually just found a way to make this work in package.json: use some-github-org/some-component#1.2.3 without any protocol specification!