Super swell to see you take an interest in this! :D.
It seems you wrote your own sanitize-npm-version, but this is not (at all) how npm
what all the silly squigles mean :).
A general question on your blacklist approach; I like and appreciate this attempt
at 'breaking the cycle', but could we not just as well define some dummy packages?
As far as the importer is concerned, a dummy package would still be seen as
"dependency resolved, my work here is done", or am I missing an advantage of
Inspired by Ricardos commit here I rewrote most of the npm importer.
Added memoization, receive, stream->list, values and rewrote the tarball
fetcher to use only npm-uri and tarballs from the registry. Additionally
I implemented handling of scoped packages (e.g. @babel/core).
It contains less lines of code than Jelles importer.
And hopefully less places for bugs to hide in.
The single import works and is a lot faster and more reliable than
before when fuzzy matching on github was used. See it in action:
I think it is a step in the _wrong_ direction to depend in major ways on the npm
registry, besides for meta-information where needed. Nonetheless, the fuzzy
matching was really brittle as you say, and could have been a lot faster indeed.
1) we don't know if the registry-tarballs are reproducible.
Back in the day, they most definitely were not. Seeing as npm-land does not put
an emphasis on this at all, I think it is unwise to assume that any reproducible
features they offer today will still be available in the future.
2) filename is the same as the upstream tarball -> we should convert it
3) we have to download the tarball because sha256 is not among the
hashes computed by npm. (I emailed address@hidden to ask for them to
compute it for all their tarballs :) )
The result of the importer will probably be a package that we will be
building in the near future, right?
There is a bug which only affects the recursive importer. I tried hard
finding it but I'm in way over my head and my guile-foo does not seem to
cut it with this one. :)
For recursive output it downloads but outputs #f in the end instead of
the sexps. See example output: http://paste.debian.net/1054383/
Trying to debug via the REPL I met this:
scheme@(guile-user) > (npm-recursive-import "async")
$3 = #<stream ? ...>
I think I also ran into this. Could you please make your work available on a
public repo somewhere? It would be easier to look at your changes and play
around with it that way.