Allow NPM packages to be installed from a URL #1686
I got burned by [#1214] too, and since it was closed by the bot, here it is again. (I got burned by that too), this time based on
Update the NPM integration module to allow installing an npm package from a private URL instead of limiting it to public npm modules only.
This replaces the _isGitHubTarball() function to handle not just git tarballs, but to handle any compressed package on any server.
You then use this the same way as the current github tarball feature:
I still think it's important to make builds reproducible, but certainly our current specification is too conservative.
It's important to me that when Meteor has a fully supported third-party package repository (next up on our pre-1.0 roadmap), that packages are fully reproducible, but it might just be that packages in new-Atmosphere are prebuilt or something, or that we could apply more stringent rules to new-Atmosphere packages than to packages in your app.
Going to table thinking about this until new-Atmosphere actually exists.
We'll probably revisit this when we build out the package server, but this is a relatively safe start that removes our GitHub-specific check. Fixes #1686. (This doesn't technically fix the case in that bug but if you know what you're doing you can add the SHA yourself.)