On Tue, Mar 26, 2013 at 4:15 PM, Nathan White <[email protected]>wrote:
> Martin you make a valid point. However what if I have a module that is > proprietary? Your argument doesn't address this. > No, I didn't address that, because it's an anti-pattern for the use of the npm registry. For example, see: https://groups.google.com/forum/#!msg/nodejs/MUxu6u_cjng/oyhpjyewufEJ While Isaac's message doesn't explicitly address non-proprietary packages with proprietary dependencies, I would expect the same rules to apply, since such packages are thereby unusable except to a privileged few. > This type of uri reference works well if you don't want to deal with > setting up your own npm server. Setting up an npm server is a pain, initial > clone is around 40GB. The proposed option definitely allows the node mantra > of developing small packages while protecting corporate IP without the > cost of maintaining a dedicated npm server. > You have at least three options: 1) Setting up your own registry is really quite straightforward, especially if you use a hosting service such as IrisCouch. Space-wise, 40GB is nothing these days. 2) There's at least one hosted npm service now, targeting users with private packages, and saving you the bother of setting it up yourself. See https://www.irisnpm.com/. 3) There are several lightweight registries designed specifically to sit in between your users and the public registry and handle private packages. For one example, see https://github.com/dominictarr/shadow-npm. -- Martin Cooper On Mar 25, 2013, at 8:29 PM, Martin Cooper <[email protected]> wrote: > > My own perspective is that relying on projects that declare their > dependencies this way is a really bad idea. They're relying on unreleased > versions of packages that aren't necessarily considered stable enough for > use by the package author in the first place. If the authors had considered > them stable, they would have published to the npm registry, since that > takes a matter of seconds. It's even worse when no commit is specified, > since the dependency is then a moving target, changing with every commit, > and you could be completely broken at any time. > > If your build servers are partially locked down for security reasons, I'd > think you'd want to have the security of knowing that you have reproducible > builds - that you'd get the same thing if you build the same project twice. > With dependencies like this, you don't have that. > > I fully realise that this isn't what you're asking, but I submit that this > is a bigger issue than just having npm futz around with the specified > protocols to see if it can find one that works. > > -- > Martin Cooper > > > On Mon, Mar 25, 2013 at 4:46 PM, Daniel Wabyick <[email protected]>wrote: > >> We have a build environment where our build servers do not have external >> SSH access for security reasons. We've got hit by the problem like in the >> following pull request [0], where an NPM dependency does not specify both >> the git+https protocol. >> >> [0] https://github.com/jsdoc3/jsdoc/pull/352/files >> >> Since this was a dependency of another project, we didn't really have an >> easy way to make this fix, and have to wait until it gets fixed in an NPM >> exposed repository. >> >> It seems like 'a good thing' if NPM either a) had a setting to allow git >> to imply git+https, or b) just always tried https if the git:// protocol >> failed. >> >> >> I'm interested in doing the work and making a pull request, but wanted to >> see if there was a downside to this approach that I'm missing. Personally, >> I would choose b) to keep settings to a minimum. >> >> >> >> -- >> -- >> Job Board: http://jobs.nodejs.org/ >> Posting guidelines: >> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >> You received this message because you are subscribed to the Google >> Groups "nodejs" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nodejs?hl=en?hl=en >> >> --- >> You received this message because you are subscribed to the Google Groups >> "nodejs" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > > -- > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "nodejs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "nodejs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
