1
0
Fork 0
mirror of https://github.com/denoland/deno.git synced 2024-12-26 17:19:06 -05:00

docs: Clarify external code vendoring (#5597)

This commit is contained in:
Nayeem Rahman 2020-05-18 20:50:57 +01:00 committed by GitHub
parent 93c2164673
commit 76ee5c7808
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 62 additions and 22 deletions

View file

@ -41,26 +41,10 @@ default directory is:
## FAQ
### But what if `https://deno.land/` goes down?
### How do I import a specific version of a module?
Relying on external servers is convenient for development but brittle in
production. Production software should always bundle its dependencies. In Deno
this is done by checking the `$DENO_DIR` into your source control system, and
specifying that path as the `$DENO_DIR` environmental variable at runtime.
### How can I trust a URL that may change?
By using a lock file (using the `--lock` command line flag) you can ensure
you're running the code you expect to be. You can learn more about this
[here](./linking_to_external_code/integrity_checking.md).
### How do you import to a specific version?
Simply specify the version in the URL. For example, this URL fully specifies the
code being run: `https://unpkg.com/liltest@0.0.5/dist/liltest.js`. Combined with
the aforementioned technique of setting `$DENO_DIR` in production to stored
code, one can fully specify the exact code being run, and execute the code
without network access.
Specify the version in the URL. For example, this URL fully specifies the code
being run: `https://unpkg.com/liltest@0.0.5/dist/liltest.js`.
### It seems unwieldy to import URLs everywhere.
@ -91,3 +75,31 @@ import { assertEquals, runTests, test } from "./deps.ts";
This design circumvents a plethora of complexity spawned by package management
software, centralized code repositories, and superfluous file formats.
### How can I trust a URL that may change?
By using a lock file (with the `--lock` command line flag), you can ensure that
the code pulled from a URL is the same as it was during initial development. You
can learn more about this
[here](./linking_to_external_code/integrity_checking.md).
### But what if the host of the URL goes down? The source won't be available.
This, like the above, is a problem faced by _any_ remote dependency system.
Relying on external servers is convenient for development but brittle in
production. Production software should always vendor its dependencies. In Node
this is done by checking `node_modules` into source control. In Deno this is
done by pointing `$DENO_DIR` to some project-local directory at runtime, and
similarly checking that into source control:
```shell
# Download the dependencies.
DENO_DIR=./deno_dir deno cache src/deps.ts
# Make sure the variable is set for any command which invokes the cache.
DENO_DIR=./deno_dir deno test src
# Check the directory into source control.
git add -u deno_dir
git commit
```

View file

@ -1,5 +1,33 @@
## Integrity checking & lock files
Deno can store and check module subresource integrity for modules using a small
JSON file. Use the `--lock=lock.json` to enable and specify lock file checking.
To update or create a lock use `--lock=lock.json --lock-write`.
Deno can store and check subresource integrity for modules using a small JSON
file. Use the `--lock=lock.json` to enable and specify lock file checking. To
update or create a lock use `--lock=lock.json --lock-write`.
A typical workflow will look like this:
```ts
// Add a new dependency to "src/deps.ts", used somewhere else.
export { xyz } from "https://unpkg.com/xyz-lib@v0.9.0/lib.ts";
```
```shell
# Create/update the lock file "lock.json".
deno cache --lock=lock.json --lock-write src/deps.ts
# Include it when committing to source control.
git add -u lock.json
git commit -m "feat: Add support for xyz using xyz-lib"
git push
```
Collaborator on another machine -- in a freshly cloned project tree:
```shell
# Download the project's dependencies into the machine's cache, integrity
# checking each resource.
deno cache -r --lock=lock.json src/deps.ts
# Done! You can proceed safely.
deno test --allow-read src
```