npm-package-json-lint icon indicating copy to clipboard operation
npm-package-json-lint copied to clipboard
verified publisher icon tclindner

Git dependency with tag/commit hash

Open AuHau opened this issue 5 years ago • 4 comments

When you add Git repo as a dependency it will grab always the latest commit upon installation, which makes it unpredictable because two developers can use different versions of the same dependency just because they installed it in different times.

It is possible to "stabilize" this situation using either tag version or commit hash which specifies the exact point of the dependency's history that will be always installed.

I would like to enforce this stability with a rule. Happy to create PR with it.

AuHau avatar Mar 18 '20 15:03 AuHau

Hey @AuHau! That sounds like a great rule idea. You might be able to build off the following rules. What are you thinking about the name for the rules? What do you think about making a dependency and devDependency variant?

https://npmpackagejsonlint.org/docs/en/rules/dependencies/no-git-dependencies https://npmpackagejsonlint.org/docs/en/rules/dependencies/no-git-devdependencies

P.S. Sorry for the delayed response. I'm happy to create the rule if this is no longer a good time for you to work on it.

tclindner avatar Apr 12 '20 02:04 tclindner

:+1: I would also be interested in rules for git dependencies.

Having a rule that mirrors the following rules

  • https://npmpackagejsonlint.org/docs/en/rules/dependencies/prefer-absolute-version-dependencies
  • https://npmpackagejsonlint.org/docs/en/rules/dependencies/prefer-absolute-version-devdependencies

An "absolute-version" with git would be something like

  • github:Raynos/error#v1.0.0
  • github:Raynos/error#v1.0.0-my-feature-patch-4
  • github:Raynos/error#59a70bf45da559b087573717cbe1ddfa9d818709
  • git+ssh://[email protected]/Raynos/error.git#59a70bf45da559b087573717cbe1ddfa9d818709

Aka either a full commit or a tag. It's assumed that any "branchOrTagReference" that starts with v${semver} is a tag and not a branch

Bad examples would be

  • github:Raynos/error
  • github:Raynos/error#branch
  • github:Raynos/error#master
  • github:Raynos/error#59a70bf
  • git+ssh://[email protected]/Raynos/error.git
  • git+ssh://[email protected]/Raynos/error.git#59a70bf

I do not know if we need to add a new exception to the existing rules like

{
  "rules": {
    "prefer-absolute-version-devDependencies": ["error", {
      "allowGit": true
    }]
  }
}

From my experience with npm + git the following URL prefixes are valid ( https://github.com/uber-archive/npm-shrinkwrap/blob/master/analyze-dependency.js#L116-L126 )

        case "git:":
        case "git+http:":
        case "git+https:":
        case "git+rsync:":
        case "git+ftp:":
        case "git+ssh:":
            return true;

And also

        - git://github.com/user/project.git#commit-is  h
        - git+ssh://user@hostname:project.git#commit-ish
        - git+ssh://user@hostname/project.git#commit-ish
        - git+http://user@hostname/project/blah.git#commit-ish
        - git+https://user@hostname/project/blah.git#commit-ish
        - user/name#commit-ish (github)

Raynos avatar May 18 '20 09:05 Raynos

Hey @Raynos your proposal looks really good! Would you be interested in contributing a PR with the changes?

tclindner avatar Jun 14 '20 17:06 tclindner

I don’t use this package at the moment.

Raynos avatar Jun 14 '20 22:06 Raynos