You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Starting in version 7.165.0 of sfdx, installing via npm produces the exact dependency tree that was used when we created the release.
Why are we making this change?
For installations of sfdx <= 7.164.2, npm installed newer versions of the CLI's dependencies, which sometimes resulted in errors because we hadn't tested those exact combinations. Starting in version 7.165.0, we lock down the CLI dependencies with a shrinkwrap lockfile. As a result, users installing sfdx from npm now get immutable builds.
Does this change affect the macOS/Windows installers and TAR files?
No. The shrinkwrap lockfile is included only in the package released to the npm registry. The OS-specific installers and TAR files bundle dependencies at release time and don't use this lockfile.
I'm seeing devDependencies being installed in the npm global folder, why is that?
This is probably due to an open (as of Aug 18, 2022) bug in npm. Installing these devDependencies shouldn't affect the functionality of the CLI itself. But it can make npm take a longer time to finish the installation, because it fetches unused dependencies. It also increases the install size and can cause security scanners to report as vulnerable packages that aren't used by sfdx when distributed.
As of today, if you use npm >= v8, you should not get devDependencies when installing sfdx with the npm install --global sfdx-cli command. If you see this happening, open a new issue.
There's no known workaround for npm v6 (bundled in the current Node v14, Maintenance LTS) to avoid installing these unused devDependencies other than moving to npm v8. Either update your CI pipelines to use Node v16, which includes npm v8, or update npm before installing sfdx by running npm install --global npm@latest.
Note that the EOL of Node v14 is 2023-04-30. We will no longer support v14 after that date. See the Node.js release schedule for more information.
The text was updated successfully, but these errors were encountered:
Starting in version 7.165.0 of
sfdx
, installing via npm produces the exact dependency tree that was used when we created the release.Why are we making this change?
For installations of
sfdx
<= 7.164.2, npm installed newer versions of the CLI's dependencies, which sometimes resulted in errors because we hadn't tested those exact combinations. Starting in version 7.165.0, we lock down the CLI dependencies with a shrinkwrap lockfile. As a result, users installingsfdx
from npm now get immutable builds.See npm-shrinkwrap for details.
The
sf
executable of Salesforce CLI has been including a shrinkwrap lockfile since v1.10.0.Frequently Asked Questions
This FAQ applies to both executables of Salesforce CLI (
sf
andsfdx
).Do I need to take some action as a result of this change?
No. Install and update
sfdx
the same way as always.Does this change affect the macOS/Windows installers and TAR files?
No. The shrinkwrap lockfile is included only in the package released to the npm registry. The OS-specific installers and TAR files bundle dependencies at release time and don't use this lockfile.
I'm seeing devDependencies being installed in the npm global folder, why is that?
This is probably due to an open (as of Aug 18, 2022) bug in npm. Installing these devDependencies shouldn't affect the functionality of the CLI itself. But it can make npm take a longer time to finish the installation, because it fetches unused dependencies. It also increases the install size and can cause security scanners to report as vulnerable packages that aren't used by
sfdx
when distributed.As of today, if you use npm >= v8, you should not get devDependencies when installing
sfdx
with thenpm install --global sfdx-cli
command. If you see this happening, open a new issue.There's no known workaround for npm v6 (bundled in the current Node v14, Maintenance LTS) to avoid installing these unused devDependencies other than moving to npm v8. Either update your CI pipelines to use Node v16, which includes npm v8, or update npm before installing
sfdx
by runningnpm install --global npm@latest
.Note that the EOL of Node v14 is
2023-04-30
. We will no longer support v14 after that date. See the Node.js release schedule for more information.The text was updated successfully, but these errors were encountered: