-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: don't use FileFetcher.manifest() for git pkgs #314
Conversation
To get the manifest for a hosted, resolved git package, pacote uses FileFetcher.manifest. FileFetcher.manifest calls extract(), which calls _tarballFromResolved. This means getting the manifest involves nearly a complete pack operation, including 'npm install', the 'prepare' script etc. It also means getting the manifest requires an Arborist constructor (causes npm/cli#6723). Remove the special handling of hosted, resolved git packages, handle all git packages the same way: clone the repo (or get the tarball from a hosted git server) and read the package.json. The effects for hosted, resolved git packages: - getting the manifest no longer involves packing the tarball - getting the manifest no longer requires an Arborist constructor - the manifest no longer includes an _integrity (same as un-hosted or un-resolved git packages) Signed-off-by: Adam Cmiel <[email protected]>
Hi! I tried to fix an issue which causes There are some potential BREAKING CHANGE candidates here, not sure if they really are breaking changes:
|
The reason it does this is a historical assumption that the git source of a package needs to be prepared, i.e. it's the "source".
The real sticking point is going to be if folks use ETA: it looks like the integrity you were talking about was the integrity from the |
It might be worth highlighting that prepare only runs for "resolved" specs. To take the example from the npm issue: npm pack vercel/ms#3.0.0-canary.1
npm pack vercel/ms#1304f150b38027e0818cc122106b5c7322d68d0c ^ these are the same package, but only the one with the commit hash would get to run the prepare script if it had one Though I understand this may not be enough of an argument against this being a breaking change. It is also possible to fix the npm pack issue on the npm side, simply by passing an Arborist constructor to all |
to clarify: only the one with the commit hash would get to run the prepare script while getting the manifest / the packument all git deps get to run prepare while packing the tarball |
Yes at a bare minimum we want to do this, even if we eventually make a breaking change going forward. |
Got it, I'll look into that. |
To get the manifest for a hosted, resolved git package, pacote uses FileFetcher.manifest. FileFetcher.manifest calls extract(), which calls _tarballFromResolved.
This means getting the manifest involves nearly a complete pack operation, including 'npm install', the 'prepare' script etc. It also means getting the manifest requires an Arborist constructor (causes npm/cli#6723).
Remove the special handling of hosted, resolved git packages, handle all git packages the same way: clone the repo (or get the tarball from a hosted git server) and read the package.json.
The effects for hosted, resolved git packages: