[SUGGESTION] Support NPM workspaces in Git Dependencies

[kayahr]

Nowadays NPM supports workspaces everywhere but there is one important feature which has currently no workspace support: Git Dependencies. It is not possible to reference a specific NPM workspace in a monorepo with a Git URL.

Let's say I have a monorepo project named math using NPM workspaces to provide the modules math-vector, math-matrix, math-geometry and math-probability. And I have an application project myapp in which I want to install math-matrix and math-geometry via a Git URL. This would look like this:

dependencies: {
    "math-matrix": "git+https://gitserver/path/math#hash",
    "math-geometry": "git+https://gitserver/path/math#hash"
}

The Git URL references the root of the monorepo which is just an empty NPM module so this currently doesn't work. And the same URL is referenced twice so most likely the repo is checked out twice which is unnecssary.

If we assume that the monorepo uses NPM workspaces then NPM can easily know that the checked out project has workspaces and also knows which workspaces are available, how they are named and which NPM modules they produce. And NPM knows the names of the requested NPM modules from the package.json of myapp. So it shouldn't be too hard to install the correct dependencies:

1. Take the first dependency (math-matrix)
2. Checkout the repository defined for this dependency.
3. Check if there are more referenced dependencies with the same Git URL. Now NPM knows that it needs to install math-matrix and math-geometry from the same Git repository.
4. Resolve the package.json files from the workspaces to determine internal dependencies in the monorepo. Lets say math-matrix depends on math-vector in the same monorepo so this must be installed, too. Now NPM knows that it needs to install math-matrix, math-vector and math-geometry.
5. Run npm install and then npm pack for each needed workspace to create the tarballs.
6. Install the tarballs in the referencing myapp.

Wouldn't that be a nice feature for a future NPM version? This could replace very ugly "solutions" found on the internet which involve complicated custom scripting or using specialized Github services like https://gitpkg.vercel.app/

[ljharb]

Given that git deps are widely discouraged and invalidate a number of security properties, it seems perhaps better to encourage folks to publish their packages somewhere than to tacitly endorse using git deps by adding features for them.

[kayahr]

Is this an official statement or an opinion? Looking at the current documentation of npm-install there is no notice/warning that Git dependencies are a discouraged feature.

Git dependencies are very useful during development when for example changes for a new feature span over multiple separate NPM projects. A feature branch of project A simply references the corresponding feature branch of project B with a Git dependency and it automatically works for other developers and CI systems without the need of inventing branch-specific version numbers, without the need of constantly updating these version numbers and polluting the NPM registry with lots of temporary artifacts.

When development is done (or reaches a publishable alpha/beta state) then the packages are published of course.

[ljharb]

It's an opinion the npm team has expressed on many occasions, which I share. You're right it's not, like, officially deprecated/discouraged or anything yet.

Either way, suggestions go in https://github.com/npm/feedback or https://github.com/npm/rfcs. related: npm/rfcs#19

[kayahr]

Created npm/feedback#881

[ljharb]

Closing in favor of npm/feedback#881

[eldoy]

I need this too. I guess NPM makes less money supporting this, ey?