NPM: How to build a project with git-based dependencies without having to call 'git' command?

Question

I have an NPM project that uses a git dependency

{
  "repository": {
    "type": "git",
    "url": "https://bitbucket.org/my-private-group"
  },
  "dependencies": {
    "my-dependency": "bitbucket:group/lib#version",
  },
}

Now I want to build this project in CI using Docker with node installed.

Problem: node install tries to call git and fails because git is not there. But even if I install git it still requires authentication because it is a private repository.

At the moment I see the following solutions:

• I would have to install git in docker and add an SSH key to be able to download the source code.
• I may pack the related repository into the Docker image and use npm link. But this option still requires knowing dependencies set up in package.json which makes it complicated.
• Setup an own npm repository to post artifact and do not use git dependencies. This option is unfortunately not achievable in my case.

Question: What is the best way of handling git dependencies in CI? Are there any other options a part from the listed options. What is the best practice?

Answer 1

Pulling from git without git installed is kinda hard. And installing git is easy. Just list is as a dependency for your project. This project requires windows/linux/mac os, node js, git.

You're allowing people to pull people from a private repo... that moment they have access to your source code... so all use of having the repo private is lost anyway. Anyone who wants to duplicate your code can do easily the moment it's on their computer, even if it's obfuscated.

So, I would go back a step and ask you to start asking yourself why is the repo private? Is it code that is only distributed when an NDA is present? If so, you could consider working with ssh key files to log in.

Or, you could host your files on a privately hosted gogs server, where you whitelist IP's in the firewall/nginx router that can pull from the gogs repository on your server.

If you want anyone to be able to use your repository in the final distribution of your project, you're better off lifting the private setting of your repository. You might even get some free help fixing some bugs.