Improving `PackageDescriptor` for URL-specified packages
kylewillmon opened this issue · comments
pub struct PackageDescriptor {
pub name: String,
pub version: String,
#[serde(rename = "type")]
pub package_type: PackageType,
}
The current PackageDescriptor
struggles to describe dependencies that do not come from the repository specified by PackageType
(e.g., dependencies specified by URL). The current solution for this seems to be to put the URL in the version
field, but this seems like a bit of a stretch of the meaning of that field.
I'm opening this issue to start a discussion about how this could be improved in the future.
Javascript
npm
allows specifying packages by URL in many different ways:
// URL directly to a tarball. No version specified
"asd": "http://asdf.com/asdf.tar.gz",
// `git+ssh` URL with a commit-ish
"cli": "git+ssh://git@github.com:npm/cli.git#v1.0.27",
// `git` protocol URL with a `semver` version range
"example": "git://github.com:npm/example#semver:^5.0",
// GitHub reference with a commit-ish
"module": "user/repo#feature\/branch"
I would hope that the git URLs are locked to a specific commit hash before they are put into the package-lock.json
, but I haven't yet tested this.
For the direct tarball URL, I would hope that a hash is included in the package-lock.json
file.
It's worth pointing out that the last one doesn't even include a URL, but it is just a short for of referencing a project on github.com