Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Locking dependencies with npm shrinkwrap #1678

Closed
cristiand391 opened this issue Aug 18, 2022 · 2 comments
Closed

Locking dependencies with npm shrinkwrap #1678

cristiand391 opened this issue Aug 18, 2022 · 2 comments

Comments

@cristiand391
Copy link
Member

cristiand391 commented Aug 18, 2022

Starting in version 7.165.0 of sfdx, installing via npm produces the exact dependency tree that was used when we created the release.

Why are we making this change?

For installations of sfdx <= 7.164.2, npm installed newer versions of the CLI's dependencies, which sometimes resulted in errors because we hadn't tested those exact combinations. Starting in version 7.165.0, we lock down the CLI dependencies with a shrinkwrap lockfile. As a result, users installing sfdx from npm now get immutable builds.

See npm-shrinkwrap for details.

The sf executable of Salesforce CLI has been including a shrinkwrap lockfile since v1.10.0.

Frequently Asked Questions

This FAQ applies to both executables of Salesforce CLI (sf and sfdx).

Do I need to take some action as a result of this change?

No. Install and update sfdx the same way as always.

Does this change affect the macOS/Windows installers and TAR files?

No. The shrinkwrap lockfile is included only in the package released to the npm registry. The OS-specific installers and TAR files bundle dependencies at release time and don't use this lockfile.

I'm seeing devDependencies being installed in the npm global folder, why is that?

This is probably due to an open (as of Aug 18, 2022) bug in npm. Installing these devDependencies shouldn't affect the functionality of the CLI itself. But it can make npm take a longer time to finish the installation, because it fetches unused dependencies. It also increases the install size and can cause security scanners to report as vulnerable packages that aren't used by sfdx when distributed.

As of today, if you use npm >= v8, you should not get devDependencies when installing sfdx with the npm install --global sfdx-cli command. If you see this happening, open a new issue.

There's no known workaround for npm v6 (bundled in the current Node v14, Maintenance LTS) to avoid installing these unused devDependencies other than moving to npm v8. Either update your CI pipelines to use Node v16, which includes npm v8, or update npm before installing sfdx by running npm install --global npm@latest.

Note that the EOL of Node v14 is 2023-04-30. We will no longer support v14 after that date. See the Node.js release schedule for more information.

@cristiand391 cristiand391 added the announcement Announcement to the community label Aug 18, 2022
@cristiand391 cristiand391 pinned this issue Aug 18, 2022
@azlam-abdulsalam
Copy link

Finally.. great news. This will reduce a lot of issues

@yippie
Copy link

yippie commented Aug 31, 2022

FINALLY

now that npm bug makes me continue to distrust npm based installs but that is no longer a Salesforce issue.

@mshanemc mshanemc removed the announcement Announcement to the community label Nov 11, 2022
@mshanemc mshanemc unpinned this issue Nov 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants