Allow NPM packages to be installed from a URL

[deepwell]

Update the NPM integration module to allow installing an npm package from a private URL instead of limiting it to public npm modules only.

This replaces the _isGitHubTarball() function to handle not just git tarballs, but to handle any compressed package on any server.

You then use this the same way as the current github tarball feature:
Inside your package.js file add:

Npm.depends({
  'your-package-name': 'http://website.com/example/your-package-name-0.0.1.tar.gz'
});

[apollo-cla]

@deepwell: Before we can merge your pull request, you'll need to sign the Meteor Contributor Agreement: https://contribute.meteor.com/

[glasser]

My philosophy here was that it's good for packages to declare their dependencies as strictly as possible, so that builds are fully reproducible. While http://website.com/example/your-package-name-0.0.1.tar.gz is probably fine, http://website.com/example/your-package-name.tar.gz is probably not fine, and https://github.com/foo/bar/tarball/master is even worse. (Yes, people can overwrite versions on npmjs.org but that's relatively rare (and it did in fact confuse Meteor when this happens).) I didn't want to make it trivially easy for people to write package definitions that are not reproducible. I may have erred too much on the conservative side here, though.

[deepwell]

Alright that's fair.

My need here is to be able to install private NPM modules that cannot be published to the official NPM repository, and therefore have to be pulled in from a non npmjs.org address.

An even better/simpler solution (for me) might be to use a github address with a tag (like npm) eg:

Npm.depends({
  'your-package-name': 'git+ssh://git@github.com:organization/your-project-name.git#v1.2.3'
});

Yes people can still abuse that; however, this is exactly what the node npm package currently supports.

[jagill]

@glasser, I agree fully with your goal to make builds reproducible. The ability to get an npm module from a repo is also very very important for development. Cloning a specific tag or hash allows it to be both reproducible, as well as from a repo -- any reason not to do that?

[apollo-cla]

@deepwell: Before we can merge your pull request, you'll need to sign the Meteor Contributor Agreement: https://contribute.meteor.com/

[n1mmy]

Oops, sorry for the meteor-bot spam. A bug on our end. You're all set.

[deepwell]

I'm happy with that. Should I change the patch as per my last comment?

[n-h]

Is this in the most recent version? I'm needing this ability as well? Thank you.

[apollo-cla]

@deepwell: Please do not create pull requests based on the master branch of the meteor repository. Typically, pull requests should be based on devel. See https://github.com/meteor/meteor/wiki/Contributing-to-Meteor for more suggestions on contributing to Meteor.