If the spec has a git sha, just fetch the tarball from the CDN, and we're done.Perhaps an approach that both works in build scenarios without ssh keys and for dev machines where ssh keys are present, while minimizing the scenarios where we need to prompt for a username/password for basic auth, would be to do the following for resolving any known-host git spec: However, if you do not have a git sha in the spec (typically, because there's no lockfile present), then we will have to do a git rev-list to figure out which sha we need to fetch, and that's where it runs into trouble. If the repo is public, and a git sha is specified in the spec that we're fetching, then we never hit it via git at all npm will just fetch the tarball from the appropriate CDN url for the known host. The tricky bit is that using https without auth in the url will trigger a prompt to enter a username and password on the command line, which will fail (or at least be confusing and strange) in many cases where an install with ssh would work fine. We currently keep the https url if auth is set in the url, because presumably you need that auth to access the repo. Please do not hesitate to ask, if something is left unclear. I hope I explained the problem better now. I don't know if the bug is specific to GitHub: adding was transformed into github:uhop/stream-chain (please peruse my bug report above), and who knows what protocol it assumes. Our build environment is not set up for ssh, yet we can use https.Those protocols have a different way to authenticate a user.It definitely tries to access the repository using ssh rather than https protocol and fails.In package-lock.json it is mentioned three times.The dependency is set as - note part of it.See the description and do the same steps using git repositories (github only?) as dependencies.
When running npm ci it should use the original URL with the HTTP authentication instead of SSH. The fix is relatively minor yet unpleasant: we have to replace npm ci with npm i, which takes more time and introduced instabilities with other dependencies. Rewriting to is not acceptable for that reasons. The problem is that a build bot we use in similar situations can access private git repositories using HTTP, but not SSH for security reasons. But other two links (?) are rewritten from to which is clearly bad. Note that was replaced with github:uhop/stream-chain, which is probably OK in this case. "stream-chain": "github:uhop/stream-chain "
0 kommentar(er)
