Closed Raynos closed 1 year ago
How would that look in package.json? Do you have a commit hash appended?
Generally, I'd recommend https://github.com/features/packages over git dependencies which hosts a registry that should be compatible with this module.
{
"dependencies": {
"data-layer-view": "Raynos/data-layer-view#v2.0.0",
"electron-main": "github:Raynos/electron-main#v3.2.1",
"private-components": "git+ssh://git@github.com/optoolco/private-components.git#v4.0.0",
}
}
There's three different variants for this.
${githubUser}/${repoName}#v{semver}
aka Raynos/error#v10.3.0
${githubUser}/${repoName}#v{semver}
aka github:Raynos/error#v10.3.0
git+ssh://git@github.com:${githubUser}/${repoName}.git#v{semver}
aka git+ssh://git@github.comRaynos/error.git#v10.3.0
When running git ls-remote
the following commands work
git ls-remote git+ssh://git@github.com/Raynos/error.git | head
git ls-remote git@github.com:Raynos/error.git | head
git ls-remote git@github.com:Raynos/error | head
However the following DOES NOT work
git ls-remote git+ssh://git@github.com:Raynos/error.git | head
git ls-remote git@github.com/Raynos/error | head
The :
& /
between github.com
& {userName}
is special or something.
Will think about it. What you can already do is depend on tarballs using a commit hash:
"updates": "https://github.com/silverwind/updates/tarball/6941e05",
This uses the GitHub API to retrieve the latest hash. It may also work with tags, not sure.
I prefer tarballs because HTTPS gets through firewalls easier than SSH.
The problem with a HTTPS link is credentials.
The benefit of a git+ssh
link is that it just reads ~/.ssh/config
and uses the credentials in my $HOMEDIR.
You would need to read credentials and then do some kind of OAUTH thing for private github packages.
I am considering a git dependency that would allow this. See https://github.com/silverwind/updates/issues/60#issuecomment-1596085376.
Thought I think I will reject this as git dependencies in npm is not something that should be encouraged as they are volatile and can be deleted or force-pushed over anytime. It's the reason why the go language has introduced GOPROXY. It's much better to just pubish your package to a (private) npm registry instead.
The module makes a HTTP call to github.
Would it be possible to support listening versions for a git dependency by spawning
git
as a child processRunning
git ls-remote
will list all the tags and you can filter byv{semver}
prefix.Running
git ls-remote
as a child process will support PUBLIC and PRIVATE git dependencies, as well as support git dependencies that are not github.