Eugene Lazutkin

I am not suggesting to include `tensorflow-gpu` — it is already in `requirements.txt`. If you are sure that it is not needed and should be removed and it will not...

Just tried with exactly same results. ```txt $ npm --version 7.5.2 ``` `package-lock.json` is absolutely identical.

>I think there is no error in the code. Just to point it out explicitly: * The dependency is set as `https://github.com/uhop/stream-chain.git` — note `https://` part of it. * In...

It came to my attention that this is a documented behavior that breaks private repositories and environments without `ssh` access (from https://blog.npmjs.org/post/626173315965468672/npm-v7-series-beta-release-and-semver-major): > Git dependencies on known git hosts (GitHub,...

> These are all system-specific, not dependency- or repo-specific. Could these decisions be left for a developer, who provides explicit dependencies? Like if a URL starts with `https://` it is,...

Having well-known hosts is admirable, as long as it is transparent, yet it smells like magic — an extra-bandwidth knowledge, which makes the system behave differently on unexpected factors. In...

In the discussion one point was missed: the difference between `npm i` and `npm ci` security-wise (see the original ticket). Yes, `npm i` can choose different versions, yet the security...

> We save the git+https url when it contains auth We are discouraged by our security policy to commit any kind of credentials to repositories. Our dependency URLs do not...

@isaacs While I do use `npm v7` locally and it forms `package-lock.json`, code builds may run other versions. I just checked one AWS CodeBuild we have and it runs `node...

@lethjakman One way to do it (a kludge, really) is to create a fake object with two attributes: `content`, and `ext`. Set the former to a string you want to...