updates icon indicating copy to clipboard operation
updates copied to clipboard

Published 20 hours ago verified publisher icon silverwind

Support private git dependencies that use git+ssh

Open Raynos opened this issue 5 years ago • 4 comments

The module makes a HTTP call to github.

Would it be possible to support listening versions for a git dependency by spawning git as a child process

git ls-remote [email protected]:Raynos/error

Running git ls-remote will list all the tags and you can filter by v{semver} prefix.

Running git ls-remote as a child process will support PUBLIC and PRIVATE git dependencies, as well as support git dependencies that are not github.

Raynos avatar May 19 '20 10:05 Raynos

How would that look in package.json? Do you have a commit hash appended?

Generally, I'd recommend https://github.com/features/packages over git dependencies which hosts a registry that should be compatible with this module.

silverwind avatar May 19 '20 11:05 silverwind 

{
  "dependencies": {
    "data-layer-view": "Raynos/data-layer-view#v2.0.0",
    "electron-main": "github:Raynos/electron-main#v3.2.1",
    "private-components": "git+ssh://[email protected]/optoolco/private-components.git#v4.0.0",
  }
}

There's three different variants for this.

  • ${githubUser}/${repoName}#v{semver} aka Raynos/error#v10.3.0
  • ${githubUser}/${repoName}#v{semver} aka github:Raynos/error#v10.3.0
  • git+ssh://[email protected]:${githubUser}/${repoName}.git#v{semver} aka git+ssh://[email protected]/error.git#v10.3.0

When running git ls-remote the following commands work

However the following DOES NOT work

The : & / between github.com & {userName} is special or something.

Raynos avatar May 19 '20 14:05 Raynos

Will think about it. What you can already do is depend on tarballs using a commit hash:

"updates": "https://github.com/silverwind/updates/tarball/6941e05",

This uses the GitHub API to retrieve the latest hash. It may also work with tags, not sure.

I prefer tarballs because HTTPS gets through firewalls easier than SSH.

silverwind avatar May 19 '20 19:05 silverwind

The problem with a HTTPS link is credentials.

The benefit of a git+ssh link is that it just reads ~/.ssh/config and uses the credentials in my $HOMEDIR.

You would need to read credentials and then do some kind of OAUTH thing for private github packages.

Raynos avatar May 20 '20 07:05 Raynos

I am considering a git dependency that would allow this. See https://github.com/silverwind/updates/issues/60#issuecomment-1596085376.

silverwind avatar Jun 18 '23 10:06 silverwind

Thought I think I will reject this as git dependencies in npm is not something that should be encouraged as they are volatile and can be deleted or force-pushed over anytime. It's the reason why the go language has introduced GOPROXY. It's much better to just pubish your package to a (private) npm registry instead.

silverwind avatar Jun 18 '23 17:06 silverwind