npm-check-updates
npm-check-updates copied to clipboard
raineorshine
Package not updated when using git+ssh with deploy key and release syntax
- [ x ] I have searched for similar issues
- [ x ] I am using the latest version of
npm-check-updates - [ x ] I am using
node >= 10.17
Steps to Reproduce
Install package using git+ssh with deploy key and release syntax (for example: npm install git+ssh://git@react-hashlink:sunknudsen/react-hashlink.git#v0.0.1).
$ cat ~/.ssh/config
Host react-hashlink
HostName github.com
IdentityFile ~/.ssh/react-hashlink
Current Behavior
When I run ncu -u, I get "All dependencies match the latest package versions :)".
Expected Behavior
Given git+ssh://git@react-hashlink:sunknudsen/react-hashlink.git#v0.0.2 exists, I expected ncu to update package.json accordingly.
According to this commit, looks like the above syntax should work.
Btw, thanks for npm-check-updates! Very useful package. 🤓
Thanks for reporting the issue. I'm not super familiar with git+ssh, so I might need some additional help.
Is this just a private repo on github? Trying to understand how I can reproduce the issue on my end.
The main thing that ncu needs to determine an upgrade is a call to pacote's packument function. Are you able to successfully use pacote on your machine to fetch the react-hashlink manifest? That would be the best way to determine if the problem is in npm-check-updates or pacote.
Is this just a private repo on github?
Yes and I use a GitHub deploy key to authenticate over SSH.
Trying to understand how I can reproduce the issue on my end.
Would it help if I add you as a contributor to my react-hashlink repo and share a deploy key with you via email?
Are you able to successfully use pacote on your machine to fetch the react-hashlink manifest?
Investigating...
What command would you like me to run? pacote packument git+ssh://git@react-hashlink:sunknudsen/react-hashlink.git?
Hey @raineorshine, your gut feeling was spot-on. It appears pacote doesn't handle ~/.ssh/config correctly.
$ pacote packument git+ssh://git@react-hashlink:sunknudsen/react-hashlink.git
TypeError [ERR_INVALID_URL]: Invalid URL: git+ssh://git@react-hashlink:sunknudsen/react-hashlink.git
at onParseError (internal/url.js:257:9)
at new URL (internal/url.js:333:5)
at new URL (internal/url.js:330:22)
at GitFetcher.[_addGitSha] (/usr/local/lib/node_modules/pacote/lib/git.js:128:28)
at /usr/local/lib/node_modules/pacote/lib/git.js:228:27 {
input: 'git+ssh://git@react-hashlink:sunknudsen/react-hashlink.git',
code: 'ERR_INVALID_URL'
}
Using hostname github.com vs react-hashlink, command returns expected output.
$ pacote packument git+ssh://[email protected]:sunknudsen/react-hashlink.git
{
name: 'react-hashlink',
'dist-tags': { latest: '0.0.2' },
...
}
Problem is using hostname github.com doesn't work in the context of deployment keys... or at the very least, I haven't found a more elegant solution (using a personal access token appears to be insecure in the context of deploying packages).
For reference, here is my question on StackOverflow. Others are also looking for an elegant solution.
Nice work! I'm watching the pacote issue now and look forward to hearing their response.