Replies: 2 comments
-
|
I dont know if we want or need this right now tbh? |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Agreed, should probably come after the configuration framework is in place. Related to #94 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Currently we determine where to download dependencies from a combination of the manifest file and (soon) the lockfile. However, in some cases we may want to override the locked URLs (ie, to use a local proxy or some mirror registry, or to work around defunct registries).
The registry + repository pair is recorded in the lockfile primarily as a convenience feature and an optimisation, so that no registry interactions are needed to resolve URLs for transitive dependencies. This is not meant as a security feature - the hash of the package serves that purpose instead. So swapping download locations should be something users can do easily without invalidating the lockfile. This could be a
buffrssetting or flag.Beta Was this translation helpful? Give feedback.
All reactions