{"id":22736954,"url":"https://github.com/sourcemeta/vendorpull","last_synced_at":"2025-04-14T04:33:04.790Z","repository":{"id":45560101,"uuid":"342405011","full_name":"sourcemeta/vendorpull","owner":"sourcemeta","description":"A simple vendoring package manager","archived":false,"fork":false,"pushed_at":"2025-02-24T14:17:00.000Z","size":147,"stargazers_count":10,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-27T18:21:39.363Z","etag":null,"topics":["git","package-manager","vendor","vendoring"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sourcemeta.png","metadata":{"files":{"readme":"README.markdown","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null},"funding":{"github":"sourcemeta","patreon":"sourcemeta","open_collective":"sourcemeta"}},"created_at":"2021-02-25T23:15:54.000Z","updated_at":"2025-02-24T14:17:07.000Z","dependencies_parsed_at":"2024-03-30T15:32:13.711Z","dependency_job_id":null,"html_url":"https://github.com/sourcemeta/vendorpull","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sourcemeta%2Fvendorpull","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sourcemeta%2Fvendorpull/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sourcemeta%2Fvendorpull/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sourcemeta%2Fvendorpull/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sourcemeta","download_url":"https://codeload.github.com/sourcemeta/vendorpull/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248821901,"owners_count":21166979,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["git","package-manager","vendor","vendoring"],"created_at":"2024-12-10T22:08:25.854Z","updated_at":"2025-04-14T04:33:04.771Z","avatar_url":"https://github.com/sourcemeta.png","language":"Shell","readme":"vendorpull\n==========\n\n`vendorpull` is a simple vendoring package manager that takes care of managing\na `vendor` directory in your project.\n\nWhy would I want to vendor my dependencies?\n-------------------------------------------\n\nMany high-profile projects, such as Node.js and\n[Golang](https://blog.filippo.io/most-go-tools-now-work-with-go15vendorexperiment/),\nvendor their dependencies for some of the following reasons:\n\n- Including dependencies as part of your `git` repository ensures that your\n  project continues to work even if the dependencies cannot be resolved\n  anymore, This happens in practice when repositories are moved between hosting\n  providers, their history is re-written, or they are simply taken down\n\n- In various types of software projects, making changes to a third party\n  dependency and rapidly testing the application with the corresponding\n  dependency changes requires significant acrobatics and maneuvers involving\n  forking the dependency project, monkey-patching the build system to compile a\n  dependency from a custom location, etc\n\n- Strongly separating your application code from the third-party projects that\n  it depends on at the code level makes developers less likely to cross that\n  barrier for debugging purposes. If you depend on a third-party project, then\n  you have as much responsibility over it as over your application code and\n  vendoring encourages that behavior\n\n- Some types of projects are not well-suited to a particular package manager.\n  For example, Node.js projects are typically released on `npm` and Python\n  projects are typically released on `pip`. However, what is the best way to\n  release a software projects consisting of shell scripts or a dataset of CSV\n  files? You can abuse another package manager to release them or work with\n  them at the version control level using `git` submodules or a tool like\n  `vendorpull`\n\nPlatform support\n----------------\n\n`vendorpull` runs in any POSIX system such as GNU/Linux, macOS, FreeBSD, etc.\nIts only external dependencies is `git`. `vendorpull` can be run in Microsoft\nWindows through the [Windows Subsystem for\nLinux](https://docs.microsoft.com/en-us/windows/wsl/) or\n[MinGW](https://sourceforge.net/projects/mingw/).\n\nInstallation\n------------\n\nGo to the root of the repository you want to setup `vendorpull` in and run the\nfollowing command:\n\n```sh\n/bin/sh -c \"$(curl -fsSL https://raw.githubusercontent.com/sourcemeta/vendorpull/main/bootstrap -H \"Cache-Control: no-cache, no-store, must-revalidate\")\"\n```\n\nThe bootstrap script will install `vendorpull` at `vendor/vendorpull` and set\n`vendorpull` as a dependency in a way such that `vendorpull` can manage itself.\n\nManaging dependencies\n---------------------\n\nYou can declare your dependencies using a simple `DEPENDENCIES` file where each\nrow corresponds to a repository you want to vendor in your project. For example:\n\n```\nvendorpull https://github.com/jviotti/vendorpull 6a4d9aa9d8ee295151fd4cb0ac59f30f20217a8f\ndepot_tools https://chromium.googlesource.com/chromium/tools/depot_tools.git 399c5918bf47ff1fe8477f27b57fa0e8c67e438d\nelectron https://github.com/electron/electron 68d9adb38870a6ea4f8796ba7d4d9bea2db7b7a0\n```\n\nIn this case, we're vendoring `vendorpull` itself, Chromium's `depot_tools`,\nand the Electron project.\n\n- The first column defines the dependency name as it will be vendored in the\n  project. The dependency is vendored inside the `vendor` directory.\n- The second column defines the repository URL of the dependency\n- The third column defines the `git` revision of the project that you\n  want to vendor\n\nIn order to pull all dependencies, run the following command:\n\n```sh\n./vendor/vendorpull/pull\n```\n\nYou can also pull a single dependency by specifying its name as the first argument. For example:\n\n```sh\n./vendor/vendorpull/pull depot_tools\n```\n\nUpdating\n--------\n\n`vendorpull` is managed using `vendorpull` itself and follows the\n[live-at-head](https://github.com/abseil/abseil-cpp#releases) philosophy.\nTherefore you can update `vendorpull` by updating the `vendorpull` revision\nfrom the `DEPENDENCIES` file and running the following command:\n\n```sh\n./vendor/vendorpull/pull vendorpull\n```\n\nMasking\n-------\n\nIn some cases, vendoring a dependency might incur a significant space overhead\nin your `git` repository. In these cases, you might want to ignore certain\npaths of the vendored repository that you are not interested in, which we refer\nto as *masking*.\n\nIn order to mask a dependency, you can create a file called\n`vendor/\u003cname\u003e.mask` where `\u003cname\u003e` corresponds to the dependency name as\ndefined in the `DEPENDENCIES` file. This file contains a set of paths relative\nto the dependency path that will be removed when vendoring the dependency.\n\nFor example, at the time of this writing, the Electron project repository\ncontains an 8.1M `docs` directory. We can ignore this directory by creating a\n`vendor/electron.mask` file whose contents are the following:\n\n```\ndocs\n```\n\nIf you do not provide a `.mask` file on the project consuming the dependency,\nvendorpull will look for a *default* mask file called `vendorpull.mask` at the\ntop level of the project you are vendoring.\n\nPatches\n-------\n\nSometimes its necessary to apply a set of patches to a vendored dependency\nright after pulling it into the project. You can do this automatically by\nplacing a set of `*.patch` files produced with\n[`git-format-patch(1)`](http://schacon.github.io/git/git-format-patch.html)\ninto a `patches/\u003cname\u003e` directory where `\u003cname\u003e` corresponds to a dependency\nname as defined in the `DEPENDENCIES` file.\n\nGitHub integration\n------------------\n\nWe recommend adding the following line to `.gitattributes` to [prevent\nGitHub](https://docs.github.com/en/github/administering-a-repository/managing-repository-settings/customizing-how-changed-files-appear-on-github)\nfrom automatically rendering files in `vendor` during upgrade pull requests:\n\n```\n/vendor/** linguist-generated=true\n```\n\nLicense\n-------\n\nThis project is licensed under the Apache-2.0 license.\n","funding_links":["https://github.com/sponsors/sourcemeta","https://patreon.com/sourcemeta","https://opencollective.com/sourcemeta"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsourcemeta%2Fvendorpull","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsourcemeta%2Fvendorpull","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsourcemeta%2Fvendorpull/lists"}