Edits to package.json no longer work as of March 2022

[willroberts]

GitHub permanently removed support for the unauthenticated Git protocol in March 2022: https://github.blog/2021-09-01-improving-git-protocol-security-github/

bower-away adds dependencies to package.json like so:

"@bower_components/some-component": "git://github.com/some-github-org/some-component.git#1.2.3",

As mentioned in the article, the unauthenticated Git protocol is no longer supported. The URL can be modified to use HTTPS, but anchors and redirection are not supported, meaning we can't specify the dependency version:

% git clone https://github.com/some-github-org/some-component.git#1.2.3
Cloning into 'some-component.git#1.2.3'...
fatal: unable to update url base from redirection:
  asked for: https://github.com/some-github-org/some-component.git#1.2.3/info/refs?service=git-upload-pack
   redirect: https://github.com/some-github-org/some-component

Slightly different issue with git+ssh:

% git clone git+ssh://git@github.com/some-github-org/some-component.git#v1.0.0
Cloning into 'some-component.git#v1.0.0'...
fatal: remote error:
   is not a valid repository name

There doesn't seem to be an easy way to resolve this, so bower-away would need some modifications to continue working.

[willroberts]

I actually just found a way to make this work in package.json: use some-github-org/some-component#1.2.3 without any protocol specification!