NPM packages are allowed to specify arbitrary urls to tarballs or Git urls as dependencies. Such dependencies are downloaded automatically when the dependent package is installed. In the case of an Artifactory remote repository proxying a remote NPM registry, this would prevent Artifactory from caching that dependency. Even worse, in an environment where the client does not have external internet access and is supposed to get all of its dependencies from Artifactory, the installation would fail.
I cannot find any information on how (or if) Artifactory deals with this problem. The only solution I can imagine would be rewriting the package.json file, which is invasive enough that I would think I would be able to find a reference to it if it were happening. Is this just an accepted limitation: a package that specifies an external dependency will bypass Artifactory? How significant of a problem is this in the real world? Do many packages specify external dependencies this way? I ask because I am trying to write a plugin for Artifactory that enables it to operate as a proxy for Composer, the dependency management tool for PHP. Composer has this similar problem of external dependencies, but even worse. I am hoping that understanding how Artifactory treats NPM will be helpful. -- View this message in context: http://forums.jfrog.org/NPM-remote-repositories-and-external-dependencies-tp7580039.html Sent from the Artifactory - Users mailing list archive at Nabble.com. ------------------------------------------------------------------------------ _______________________________________________ Artifactory-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/artifactory-users
