I have an NPM project that uses a git dependency
{
"repository": {
"type": "git",
"url": "https://bitbucket.org/my-private-group"
},
"dependencies": {
"my-dependency": "bitbucket:group/lib#version",
},
}
Now I want to build this project in CI using Docker with node installed.
Problem: node install
tries to call git
and fails because git is not there. But even if I install git it still requires authentication because it is a private repository.
At the moment I see the following solutions:
npm link
. But this option still requires knowing dependencies set up in package.json
which makes it complicated.Question: What is the best way of handling git dependencies in CI? Are there any other options a part from the listed options. What is the best practice?
The npm installation from GitHub is quite useful for testing packages. It also gives the flexibility to install any specific branch, version, tag, and so on.
To install a package as a project dependency or a development dependency: npm install --save <package_name> or npm install --save-dev <package_name> yarn add <package_name> --dev. pnpm add --save-dev <package_name>
Pulling from git without git installed is kinda hard. And installing git is easy. Just list is as a dependency for your project. This project requires windows/linux/mac os, node js, git.
You're allowing people to pull people from a private repo... that moment they have access to your source code... so all use of having the repo private is lost anyway. Anyone who wants to duplicate your code can do easily the moment it's on their computer, even if it's obfuscated.
So, I would go back a step and ask you to start asking yourself why is the repo private? Is it code that is only distributed when an NDA is present? If so, you could consider working with ssh key files to log in.
Or, you could host your files on a privately hosted gogs server, where you whitelist IP's in the firewall/nginx router that can pull from the gogs repository on your server.
If you want anyone to be able to use your repository in the final distribution of your project, you're better off lifting the private setting of your repository. You might even get some free help fixing some bugs.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With