Martin you make a valid point. However what if I have a module that is proprietary? Your argument doesn't address this. This type of uri reference works well if you don't want to deal with setting up your own npm server. Setting up an npm server is a pain, initial clone is around 40GB. The proposed option definitely allows the node mantra of developing small packages while protecting corporate IP without the cost of maintaining a dedicated npm server.
On Mar 25, 2013, at 8:29 PM, Martin Cooper <[email protected]> wrote: > My own perspective is that relying on projects that declare their > dependencies this way is a really bad idea. They're relying on unreleased > versions of packages that aren't necessarily considered stable enough for use > by the package author in the first place. If the authors had considered them > stable, they would have published to the npm registry, since that takes a > matter of seconds. It's even worse when no commit is specified, since the > dependency is then a moving target, changing with every commit, and you could > be completely broken at any time. > > If your build servers are partially locked down for security reasons, I'd > think you'd want to have the security of knowing that you have reproducible > builds - that you'd get the same thing if you build the same project twice. > With dependencies like this, you don't have that. > > I fully realise that this isn't what you're asking, but I submit that this is > a bigger issue than just having npm futz around with the specified protocols > to see if it can find one that works. > > -- > Martin Cooper > > > On Mon, Mar 25, 2013 at 4:46 PM, Daniel Wabyick <[email protected]> wrote: > We have a build environment where our build servers do not have external SSH > access for security reasons. We've got hit by the problem like in the > following pull request [0], where an NPM dependency does not specify both the > git+https protocol. > > [0] https://github.com/jsdoc3/jsdoc/pull/352/files > > Since this was a dependency of another project, we didn't really have an easy > way to make this fix, and have to wait until it gets fixed in an NPM exposed > repository. > > It seems like 'a good thing' if NPM either a) had a setting to allow git to > imply git+https, or b) just always tried https if the git:// protocol > failed. > > > I'm interested in doing the work and making a pull request, but wanted to see > if there was a downside to this approach that I'm missing. Personally, I > would choose b) to keep settings to a minimum. > > > -- > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "nodejs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "nodejs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
