New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue with owner/repo packages #23
Comments
...and if I specify the full GH URL then I hit the https://github.com/nodejs/nodejs.org/pull/2671/checks?check_run_id=305868263#step:9:30 |
hey @XhmikosR, you are referring specifically to this package the way it is set in package.json:
and it's corresponding lockfile entry:
If so, it looks like the syntax here is just |
Further on, a few things to note:
Using your package-lock.json as an example I get these issues: The first problem, related to To resolve the issue with the metalsmith package you'd have to both allow the github protocol but also support the empty hostname, and so the following should pass for that lockfile:
Sadly, that's not ideal because we're allowing an empty hostname there. It's not very obvious, but also since that hostname is empty so it's not in any malicious party's control and so not that bad either. @XhmikosR Let me know if this works for you. -- On a related note, does npm know how to handle a lockfile with just the |
Hey, @lirantal.
And
So, yeah, npm does know how to handle this and it's totally valid. Allowing an empty host, I'm not sure it makes a lot of sense, though?
|
to be honest, the problem I have is with npm allowing something like this:
which then becomes
because:
|
Because github is the default for npm. The same way it works if you do As for parsing it, yeah, it would require replacing the github part with https. Also, do note that there might be more cases like this. Maybe |
I understand it is the default, just expressing my personal view of not liking this implicit approach :) As for supporting other schemes, as long as you provide the scheme it should work just fine, regardless to what it actually is. So for example, if you have git+ssh type of resources then you should do this:
|
@XhmikosR wanted to let you know that this is now fixed in latest versions of lockfile-lint, try this:
let me know if you have any questions or further issues but I'm confident this should solve the usage problem for you. |
Hey, @lirantal, sorry for the late reply :) So I just tried this on my branch and it still fails:
nodejs/nodejs.org@1fc4e25#diff-b9cfc7f2cdf78a7f4b91a753d10865a2R21 |
you don't actually need try again and let me know? |
@XhmikosR forgot to mention you for a ping about ☝️ |
Hey, @lirantal. Indeed without |
@XhmikosR I agree. Can you open a new issue for us to discuss this and some solutions we can think of? |
Done, see #63 |
So, I was trying a package saved as owner/repo: nodejs/nodejs.org@654e991
This doesn't pass with allowed host
github, npm
, but shouldn't it pass?The text was updated successfully, but these errors were encountered: