Cypress shouldn't be injecting a GitHub URL into the lockfile

[kaiyoma]

Current behavior:

A GitHub URL is put into the lockfile, which is much less reliable than an npm package.

Desired behavior:

Only npm packages should be downloaded.

Details

Last night, our builds failed for the better part of 4 hours because yarn install failed with this error:

07:01:29  [1/4] Resolving packages...
07:01:31  [2/4] Fetching packages...
07:02:18  error An unexpected error occurred: "https://codeload.github.com/cypress-io/request/tar.gz/b5af0d1fa47eec97ba980cde90a13e69a2afcd16: Request failed \"500 Internal Server Error\"".

I think it's bad practice for Cypress (or any other package) to be injecting GitHub URLs into package lockfiles, for exactly this reason. In my experience, the npm CDN is much more reliable. Also, we use an internal npm registry - which I'm sure many other organizations do as well - which caches package downloads, but that cache doesn't work if Cypress is trying to download directly from GitHub.

Whatever is being downloaded should be package-ified and put on npm, just like everything else. Or, it should be included in the Cypress binary. We're also caching that locally, but this GitHub URL circumvents that cache as well.

Versions

Cypress: 4.1.0

[flotwig]

Fixed in 4.3.0, please try upgrading: #6752

[kaiyoma]

That won't be possible unfortunately until you guys fix your big TypeScript problem: #6690