-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Framework: Add package-lock precommit check for latest NPM #21306
Conversation
Size Change: +279 B (0%) Total Size: 890 kB
ℹ️ View Unchanged
|
What will happen when you are offline? Will it prevent committing changes? It might be an acceptable trade-off but I wanted to make sure we are fully aware of it. Do you happen to know if all other precommit checks work offline? |
That's a very good point which I hadn't considered. I don't think we'd want to forbid someone from being able to work effectively while offline. At the same time, if we consider this to be important to avoiding the introduction of problematic changes, then we want to have high confidence they're running the correct version. The current proposed implementation otherwise blocks a commit in other cases of an inability to retrieve details about the package, so there's some precedent from that we could use. Still, I might want to explore...
|
The build failures here are quite interesting. There appears to be some incompatibility with our current TypeScript configuration and the new dependency update I included here. (cc @sirreal , more of a heads up. I haven't had a chance yet to dive into it) |
Error is here:
Looks like they're using some constructs in the declaration that prohibit It's fine to disable that compiler option for Lines 3 to 15 in 4f144b4
|
I updated to override |
How does this work when not being connected to the internet? |
D'oh, thanks! I swear I used CMD+F to search for this... |
Reflecting some more, I'm thinking: We should probably still block the commit by default. In these specific circumstances, we can include additional messaging about why it's enforced, and how to work around it (i.e. |
25b2cb5
to
aac7243
Compare
Updated in aac7243 Here's how it reads:
This should be ready for a final review now. |
This is actually the case:
We can strip the warnings to get the raw value:
I'm a bit reluctant still, partly out of effort required to revise the implementation, but also because: Per the warning message, this data can be stale, which contradicts what I'd proposed in #21306 (comment) and aac7243, where we enforce live data as a guarantee to ensure the latest version is known. I'm inclined to keep things as they are, but we could always reconsider this in the future if it becomes a problem. Happy to hear other thoughts as well. |
The issue is that when someone is offline, they still can use |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for working on it 👍
To remove redundant chalk dependency entries (resolved instead from root)
Apparently this was addressed as part of the latest 4.0.0 release. I'll see if I can remove the override now. Edit: Reverted in d676360. |
This reverts commit 40703df.
|
||
It is required that you have the latest version of NPM installed in order to commit a change to the package-lock.json file. | ||
|
||
Run ${ yellow( 'npm install --global npm@latest' ) }, then try again.` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we expand the message with the recommendation to run npm install
again after installing the latest version of npm
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we expand the message with the recommendation to run
npm install
again after installing the latest version ofnpm
?
That's an excellent point, considering it's primarily the reason we're asking people to update 😅 (so that package-lock.json
changes are accurate, which are adjusted only after npm install
).
I can put together a small follow-up pull request.
This pull request seeks to add a pre-commit task which verifies that any changes to the root
package-lock.json
can only be committed if the local NPM version matches the latest available NPM version. This is in line with the documented required environment, and is intended to resolve cases wherepackage-lock.json
is wrongly updated with invalid values due to use of outdated version of NPM (see #16157 (comment)).Testing Instructions:
git checkout add/latest-npm-package-lock-check
npm i -g [email protected]
package-lock.json
echo "example" >> package-lock.json
git add . && git commit -m "test"
npm i -g npm@latest
git commit -m "test"