Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Git urls don't allow semver ranges #3328

NickHeiner opened this Issue · 20 comments

According to the documentation:

Git URLs as Dependencies
Git urls can be of the form:


The commit-ish can be any tag, sha, or branch which can be supplied as an argument to git checkout. The default is master.

I would like to be able use the full semver range syntax for the commit-ish part:


I'm dependent on git urls because my company uses a number of repos on our internal github instance, and we don't have our own npm registry. (Based on digging through some old issues, it wasn't even clear that setting up our own npm registry would be possible.)

Could I submit a PR for this?


If you want that to work, then tag or branch so that 1.0.x points to something in git. We're not going to walk through commits finding semver-ish-looking things and try to be clever about them.

@isaacs isaacs closed this

@isaacs We can walk through tags, though? I believe I proposed this to you in the past.


Yeah, it's not a good idea, though. Very complicated and weird. If you have loose git deps, then point at a branch, rather than a commit.


Write a pre-procressor for package.json, call your sourcefile clever-package.json or so. It's a known fact that pre-processors are the solution to just about any gripe you have with the syntax for your platform of choice. ;)

But seriously, the pre-processor could fix up the package.json for you so that it points to a real commit. It'd be certainly a useful little tool, if open source.

Ideally, npm would have a "preinstallpackages" script hook for this. Then you can be sure that the generated package.json is always up to date before it gets evaluated.


@isaacs It's certainly not a trivial implementation, but it would be very nice to have feature parity with bower here.


It's certainly not a trivial implementation

If we're talking about github only, it's trivial. I can't point out the exact commit, but it was done in visionmedia/npm and yapm a long time ago using github api and gh-lookup. Just run yapm install visionmedia/commander.js@^1.2.0 and see for yourself.

Actual git url's are more tricky than that, because you have to fetch the entire tree before you know what commit hash you need, and there are a few corner cases. But people usually look just for github repos anyway.


Amusingly, although I opened this issue originally, I've now come to agree with @isaacs that this would be "very complicated and weird". I would advise people to just use an npm registry instead of conflating source control with published package management.


@NickHeiner How's that working out with your private packages? Even today, years since npm started, private package hosting is only just in beta.


Even today, years since npm started, private package hosting is only just in beta.

npm private package hosting isn't the only one hosting available out there. I'm using private packages for 2 years now, and it works just fine.

But git urls are useful for public stuff, if people don't want to use npm registry for one reason or another.


npm private package hosting isn't the only one hosting available out there. I'm using private packages for 2 years now, and it works just fine.

Link to service provider?


@jasonkuhrt , if you are looking for a npm-compatible private registry installed on your servers, look at sinopia. If you're looking for 3rd party service provider (SaaS), check cnpm.


+1 this closed issue to the moon! :rocket:


@jasonkuhrt, we are hosting our own copy of the npm registry on couchdb. It's painful to maintain at times but generally works.


how come jspm is able to install git packages using a semver range ? can the same technique not be used ? i think it's just getting the tags using git ls-remote --tags and then do the semver match. no need to over complicate it ?
it would really be fantastic to be able to specify a semver range for github packages...


being impressed by the richness of node packages and the well working idea of reusable modules I am convinced that this is the very case where having an option of working semvers for git urls is worth extracting the job already done for bower.


bower.json has no problem with this syntax

"thingy": "",

I wish I could add a similar syntax to package.json.


+1 to this, I'm suffering without it :(((

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.