Replies: 2 comments
-
|
I dont know if we want or need this right now tbh? |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Agreed, should probably come after the configuration framework is in place. Related to #94 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Currently we determine where to download dependencies from a combination of the manifest file and (soon) the lockfile. However, in some cases we may want to override the locked URLs (ie, to use a local proxy or some mirror registry, or to work around defunct registries).
The registry + repository pair is recorded in the lockfile primarily as a convenience feature and an optimisation, so that no registry interactions are needed to resolve URLs for transitive dependencies. This is not meant as a security feature - the hash of the package serves that purpose instead. So swapping download locations should be something users can do easily without invalidating the lockfile. This could be a
buffrssetting or flag.Beta Was this translation helpful? Give feedback.
All reactions