NPM package rejected by corporate firewall

[jrpool]

Did you verify this is a real problem by searching the NativeScript Forum and the other open issues in this repo?

Yes. It has been reported in:
https://discourse.nativescript.org/t/installing-nativescript-from-behind-a-corporate-proxy/696

Tell us about the problem

Please, ensure your title is less than 63 characters long and starts with a capital
letter.

The organization I work at requires NPM packages to require dependencies only from NPM. NPM, too, advises against git dependencies. See https://blog.npmjs.org/post/145724408060/dealing-with-problematic-dependencies-in-a: "Generally, we discourage using Git dependencies in package.json, and it’s typically only used temporarily while a maintainer waits for an upstream fix to be applied and published."

When I tried to get NativeScript added to the internal repo for use by developers across the enterprise, my request was rejected because of Github dependencies.

Specifically, the approval team said this module has a dependency on https://github.com/telerik/node-bplist-parser/tarball/master, but the local repo cannot proxy to github.

They advised me to ask you if you could update the above-cited dependency to use a package in the npm registry. They warned that this might be complicated because of the fact that the dependency is a git fork of an npm package. They said you would need to publish your fork on npm and then update this module to use that npm package. This, they argued, would make the module more "corporate firewall friendly", which I assume would promote NativeScript's market share. They said proxying to github in the future is a possibility, but it brings added risk with it. And, per NPM as cited above, github dependencies don't seem to be a best practice anyway.

What I don't understand is why my company's team cited only one github dependency, when package.json seems to show several direct ones. If that needs clarification, I can ask them for it.

Which platform(s) does your issue occur on?

Both

Please provide the following version numbers that your issue occurs with:

• CLI: (run tns --version to fetch it)
  4.2.2

Please tell us how to recreate the issue in as much detail as possible.

That does not seem practical.

[rosen-vladimirov]

Hey @jrpool ,

First of all, please excuse me for this so late reply. Now straight to your question - you are right that using packages from github is not the best solution, as npm has some issues when trying to resolve them. However, until now we have not received any reports similar to yours (that GitHub dependencies cannot be used in a corporate environment).
The main reason that led us to use the packages from GitHub, instead of npm is that some of them are not maintained, so submitting a PR is not an option as there's noone to merge it and release a new version. For some of the other packages we have submitted PRs, but they were not merged due to different reasons.
Anyway, due to your request, we'll reconsider all of this and we'll try to remove the usage of packages from GitHub for one of our next releases. I'll describe here what should be done with each of the packages, so we can keep track of the issue:

• cli-table - consider using cli-table-3, however we have a lot of specific logic in our fork of cli-table, so most probably it is safer to just publish a new package - ns-cli-table
• tabtab - check the new version and see if it works for us. The code that we've changed in the past, no longer exists, so there's no need to send a PR. Check specifically the autocomplete of -- options. In case it does not work, publish a new package - ns-tabtab
• xcode - send PR to the original node-xcode and see if they'll merge it. We've sent several PRs there in the past, so probably they'll merge a PR from our side. In case not, publish new package - ns-xcode (fix: update ns-dev-xcode to fix extension framework removal #4471)
• xmlhttprequest - remove its usage - we needed it for EqatecAnalytics, however we are no longer using it. Remove the whole code for EqatecAnalytics and this dependency as well. (feat: improve analytics #4153)
• zipstream - no longer maintained. Try using archiver or zip-stream instead. They have a lot of downloads, so just switch the usage to one of these packages instead a publishing our own version.

[yankedev]

Is there a specific version of nativescript cli that has no github dependencies?

Our company would like to use nativescript but our policies forbid us to get NPM dependencies directly from github.

thanks for giving more information on this critical issue

[japj]

Hello,

We have an on-premise AzureDevOps Server setup, using Azure Artifacts to mirror our npmjs.org upstream dependencies.
This is to prevent our build servers from directly accessing content from the internet.

So we have "the same" issue when trying to install nativescript-cli on our environment: github urls cannot be resolved on our buildservers, only content from npmjs.org is allowed/supported.

Is there any progress on publishing of "ns-" specific versions of your dependencies to npmjs.org?

Thanks in advance!