Git dependency with tag/commit hash #220
Comments
|
Hey @AuHau! That sounds like a great rule idea. You might be able to build off the following rules. What are you thinking about the name for the rules? What do you think about making a dependency and devDependency variant? https://npmpackagejsonlint.org/docs/en/rules/dependencies/no-git-dependencies
|
|
👍 I would also be interested in rules for git dependencies. Having a rule that mirrors the following rules
An "absolute-version" with git would be something like
Aka either a full commit or a tag. It's assumed that any "branchOrTagReference" that starts with Bad examples would be
I do not know if we need to add a new exception to the existing rules like {
"rules": {
"prefer-absolute-version-devDependencies": ["error", {
"allowGit": true
}]
}
}From my experience with npm + git the following URL prefixes are valid ( https://github.com/uber-archive/npm-shrinkwrap/blob/master/analyze-dependency.js#L116-L126 ) case "git:":
case "git+http:":
case "git+https:":
case "git+rsync:":
case "git+ftp:":
case "git+ssh:":
return true;And also |
|
Hey @Raynos your proposal looks really good! Would you be interested in contributing a PR with the changes? |
|
I don’t use this package at the moment. |
When you add Git repo as a dependency it will grab always the latest commit upon installation, which makes it unpredictable because two developers can use different versions of the same dependency just because they installed it in different times.
It is possible to "stabilize" this situation using either tag version or commit hash which specifies the exact point of the dependency's history that will be always installed.
I would like to enforce this stability with a rule. Happy to create PR with it.
The text was updated successfully, but these errors were encountered: