On Tue, 2021-08-17 at 14:07 +0530, Pirate Praveen wrote: > > 2021, ഓഗസ്റ്റ് 17 12:18:00 PM IST, Paul Wise <p...@debian.org>ൽ എഴുതി > > On Mon, Aug 16, 2021 at 8:25 PM Pirate Praveen wrote: > > > > > Many node modules don't tag their releases so its really hard to get > > > exact source code corresponding to an npmjs.com release. > > > > It is probably worth filing upstream issues when you discover that. > > We do file issues but response is not guaranteed. > > > > Also with mono repos becoming more popular (many modules are developed > > > in the same git repo with each module having a different version but > > > there is no way to get tarballs of individual modules), now we not only > > > need to download tarballs corresponding to tags and then exclude all the > > > other modules we don't need from the monorepo tarball. > > > > Could you package the monorepo instead of each module? > > > > Sometimes we do but it has the risk of packaging > unleased changes. So it is similar to packaging git main branch.
Some monorepos like src:python-azure ( https://github.com/Azure/azure-sdk-for-python/ ) are such an unsalvageable mess that different modules from the same monorepo depend on each other, but a given monorepo commit rarely has compatible, coherent versions checked in. It can and does happen all the time that module A depends on module B and C, but at commit 12345 B is compatible but C is not, and at commit 54321 C is compatible but B is not. And the alternative of using pypi as upstream is of course a no-go, given how it's a malware-infested dump. With hundreds of modules in the monorepo, I can't possibly manually check every time that some of the names haven't been taken over by typo-squatters or suchlike (yes, sometimes the module names in the monorepo are different from the module names uploaded to pypi). -- Kind regards, Luca Boccassi
signature.asc
Description: This is a digitally signed message part
