0

What is the difference between installing a npm package via https and ssh? My expectation is that the downloaded package would be the same but this is not the case. For example:

// package.json
"dependencies": {
    "lodash": "^4.17.19"
    // vs
    "lodash": "git@github.com:lodash/lodash.git#semver:^4.17.19"
}

When I use the first option, the actual npm package gets installed. When I install via the second option, I get only the files that are whitelisted from the repo but not the actual package itself.

I don't see a good explanation in the npm documentation. Why aren't these installing the same thing? Is there a way to install the actual package via ssh and not the commit itself?

MonkBen
  • 546
  • 5
  • 21

1 Answers1

1

Two ways of installing dependencies.

  1. From NPM repository itself (specify the version)
  2. From github (specify a branch OR commit and tag)

It is advisable to publish to the registry the minified/compiled version of the library than the source unless it is necessary. So, it is possible that what you get from the NPM is different than the source repository itself.

It is really question of the "place" (npm or github) than the method (http or ssh)

Charlie
  • 22,886
  • 11
  • 59
  • 90
  • This makes sense. So the git+ssh will obviously only pull from git then. – MonkBen Jul 22 '20 at 16:47
  • Yes - a related post https://stackoverflow.com/questions/23210437/npm-install-private-github-repositories-by-dependency-in-package-jsonv – Charlie Jul 22 '20 at 17:08