Support private git dependencies that use git+ssh

silverwind / updates

Flexible npm and poetry dependency update tool

99 stars 8 forks source link

Support private git dependencies that use git+ssh #42

Closed Raynos closed 1 year ago

Raynos commented 4 years ago

The module makes a HTTP call to github.

Would it be possible to support listening versions for a git dependency by spawning git as a child process

git ls-remote git@github.com:Raynos/error

Running git ls-remote will list all the tags and you can filter by v{semver} prefix.

Running git ls-remote as a child process will support PUBLIC and PRIVATE git dependencies, as well as support git dependencies that are not github.

silverwind commented 4 years ago

How would that look in package.json? Do you have a commit hash appended?

Generally, I'd recommend https://github.com/features/packages over git dependencies which hosts a registry that should be compatible with this module.

Raynos commented 4 years ago

{
  "dependencies": {
    "data-layer-view": "Raynos/data-layer-view#v2.0.0",
    "electron-main": "github:Raynos/electron-main#v3.2.1",
    "private-components": "git+ssh://git@github.com/optoolco/private-components.git#v4.0.0",
  }
}

There's three different variants for this.

${githubUser}/${repoName}#v{semver} aka Raynos/error#v10.3.0
${githubUser}/${repoName}#v{semver} aka github:Raynos/error#v10.3.0
git+ssh://git@github.com:${githubUser}/${repoName}.git#v{semver} aka git+ssh://git@github.comRaynos/error.git#v10.3.0

When running git ls-remote the following commands work

git ls-remote git+ssh://git@github.com/Raynos/error.git | head
git ls-remote git@github.com:Raynos/error.git | head
git ls-remote git@github.com:Raynos/error | head

However the following DOES NOT work

git ls-remote git+ssh://git@github.com:Raynos/error.git | head
git ls-remote git@github.com/Raynos/error | head

The : & / between github.com & {userName} is special or something.

silverwind commented 4 years ago

Will think about it. What you can already do is depend on tarballs using a commit hash:

"updates": "https://github.com/silverwind/updates/tarball/6941e05",

This uses the GitHub API to retrieve the latest hash. It may also work with tags, not sure.

I prefer tarballs because HTTPS gets through firewalls easier than SSH.

Raynos commented 4 years ago

The problem with a HTTPS link is credentials.

The benefit of a git+ssh link is that it just reads ~/.ssh/config and uses the credentials in my $HOMEDIR.

You would need to read credentials and then do some kind of OAUTH thing for private github packages.

silverwind commented 1 year ago

I am considering a git dependency that would allow this. See https://github.com/silverwind/updates/issues/60#issuecomment-1596085376.

silverwind commented 1 year ago

Thought I think I will reject this as git dependencies in npm is not something that should be encouraged as they are volatile and can be deleted or force-pushed over anytime. It's the reason why the go language has introduced GOPROXY. It's much better to just pubish your package to a (private) npm registry instead.