Install devDependencies by default #519
Conversation
|
Would it be possible to provide an option to opt out of this? As-is this will mean we install/cache packages that we don't need. It's such a shame that |
@edmorley I intend to make it so that you can configure it to only install I believe this will be a better default for most users though. |
|
Agreed that it's a shame there's no concept of build dependencies (for things like build, but also CI). While this will install |
|
@hunterloftis I'm currently pruning after the cache is saved. Otherwise the user needs to re-download all of the build tooling again the next time. |
|
Ah yeah, I hadn't thought about that. Glad you have :) |
jmorrell
force-pushed
the
dev-dependencies-change
branch
from
db8ce6e
to
30f5499
Compare
| fi | ||
| } | ||
|
|
||
| header "Pruning devDependencies" |
There was a problem hiding this comment.
This is the terminology that npm uses, but I don't love it.
Is there a clearer way to get across "we're removing the modules defined in devDepenencies from node_modules"?
There was a problem hiding this comment.
If it's the command in both yarn and npm, it's probably fine since that's what people will be familiar with.
jmorrell
changed the title
|
@edmorley I can't tag you as a reviewer, but I'd appreciate it if you took a look :) |
| @@ -211,6 +211,17 @@ cache_build() { | |||
| header "Caching build" | |||
There was a problem hiding this comment.
This changes a lot of the fixture files for tests which can be mostly ignored. The important changes are found in:
bin/compile
lib/dependencies.sh
lib/environment.sh
lib/failure.sh
With tests changes in:
test/run
| @@ -122,8 +122,7 @@ fail_yarn_outdated() { | |||
| local log_file="$1" | |||
| local yarn_engine=$(read_json "$BUILD_DIR/package.json" ".engines.yarn") | |||
|
|
|||
| if grep -qi 'error: unknown option .--frozen-lockfile' "$log_file"; then | |||
| echo "ran" | |||
| if grep -qi 'error .install. has been replaced with .add. to add new dependencies' "$log_file"; then | |||
There was a problem hiding this comment.
This is changed because in these earlier versions adding the --production flag changes the error message that is displayed
| testNoEnvVars() { | ||
| env_dir=$(mktmpdir) | ||
| compile "stable-node" "$(mktmpdir)" $env_dir | ||
| assertCaptured "NPM_CONFIG_PRODUCTION=true" |
There was a problem hiding this comment.
We're no longer setting NPM_CONFIG_PRODUCTION by default
| @@ -263,10 +270,6 @@ testWarnDevDeps() { | |||
| assertCaptured "A module may be missing" | |||
| assertNotCaptured "This module may be specified" | |||
| assertCapturedError | |||
| compile "missing-devdeps-2" | |||
There was a problem hiding this comment.
This will no longer result in an error so I've removed it
| @@ -712,7 +777,7 @@ testShrinkwrap() { | |||
| compile "shrinkwrap" | |||
| assertCaptured "[email protected]" | |||
| assertCaptured "[email protected]" | |||
| assertNotCaptured "mocha" | |||
| assertCaptured "mocha@2.0.1" | |||
There was a problem hiding this comment.
This is now installed by default
| @@ -811,6 +918,10 @@ compileTest() { | |||
| for f in ${compile_dir}/.profile.d/*; do source $f > /dev/null 2> /dev/null ; done | |||
|
|
|||
| capture ${bp_dir}/bin/test ${compile_dir} | |||
|
|
|||
There was a problem hiding this comment.
Fixes a bug in the compileTest function that would cause subsequent tests to fail
lib/dependencies.sh
Outdated
| yarn_prune_devdependencies() { | ||
| local build_dir=${1:-} | ||
|
|
||
| if [ $NODE_ENV == "test" ]; then |
There was a problem hiding this comment.
This will be caught by the elif clause below. Do we want the explicit messaging here?
| local build_dir=${1:-} | ||
| local npm_version=$(npm --version) | ||
|
|
||
| if [ $NODE_ENV == "test" ]; then |
There was a problem hiding this comment.
Same as the yarn comment above, but wanted to point it out for completeness sake.
|
I ran through all the (non test) code. This looks good. I tried to find a OS X event library in node, but it looks like all file watcher libs are cross platform that are popular. I'm not sure of other platform specific libs that would only show up in node. As a suggestion to provide helpful messaging to users who builds work now but may break with this change, the buildpack can mark in the cache the buildpack version number and the success state with this PR. If the build fails and the last build was not using this buildpack and the last build was not a success, then we can display how to opt into the old functionality. |
There was a problem hiding this comment.
I've verified that the buildpack & reference apps that I maintain deploy cleanly using this dev-dependencies-change branch:
Thanks for your meticulous efforts on this @jmorrell 🎩
There was a problem hiding this comment.
Hi! I had a quick read through - looks great :-)
(Also glad there is an option for those that need to revert to the previous behaviour)
Things I noticed:
- Does
warn_missing_devdepsin failure.sh need updating to also check forYARN_PRODUCTION? - Can the
NPM_CONFIG_PRODUCTIONexport now be removed frombin/test-compile? - In
environment.sh'slist_node_config, should themcount "npm-config-production-true"also includeYARN_PRODUCTION(or a new count be added)?
| if [ $NODE_ENV == "test" ]; then | ||
| echo "Skipping because NODE_ENV is 'test'" | ||
| return 0 | ||
| elif [ $NODE_ENV != "production" ]; then |
There was a problem hiding this comment.
It might be worth quoting the $NODE_ENV and the various other variables in conditionals, since otherwise spurious spaces can cause a too many arguments bash error and the wrong result.
eg:
$ NODE_ENV="foo bar"; if [ $NODE_ENV != "production" ]; then echo "not production"; else echo "production"; fi
bash: [: too many arguments
productionFwiw shellcheck is able to find issues like this (the Python buildpack runs it on Travis):
In lib/dependencies.sh line 103:
elif [ $NODE_ENV != "production" ]; then
^-- SC2086: Double quote to prevent globbing and word splitting.(https://github.com/koalaman/shellcheck/wiki/SC2086)
|
Just a heads up: The silent removal of |
|
@Chronial I'm sorry to hear that 😓 Thank you for letting me know. I've tried to be as backward-compatible as I compatible as I could, but this is likely a breaking change for a small subset of users. If you need to test for an env var, |
Thanks, that's what we did. I think Heroku would benefit from a mechanism to notify its users about breaking changes like this before they happen. |
|
This also broke our deploys because we use private devDependencies. A heads up to paying customers would have been really nice instead of sending us into a panic and having to update environment variables across many applications. |
|
Apart from the breaking changes, thank you for this much needed change to the default behaviour of the buildpack! |
|
@Chronial @tomreid76 I don't disagree at all and could have done a better job here. It's a difficult balance because sending out mass emails can cause more stress and confusion than it alleviates. We saw this when sending out security notices and getting hundreds of support tickets from confused users. Thanks for the feedback, and we'll review this to figure out how we can improve messaging next time. |
|
@tomreid76 Can you elaborate on how private devDependencies were affected? |
|
Sure. We have a few private GitHub repos as devDependencies. Before, they were not installed by default when deploying (using node 6.11.x and npm 3.10.10). This is exactly how we wanted it. As of the update yesterday, Heroku started attempting install of those respective devDeps and things started blowing up because Heroku has no access. One other thing to note is that we actually have a pre-deploy step wherein we generate a versioned build artifact in Travis CI, and so our deploy to Heroku is really just a deploy since everything needed (prod dependencies) is bundled. Admittedly perhaps not the most common use case, but a "verified" artifact is important for reasons I won't get into. :) In any case, problem is solved, and so not a big deal, just in the future would have appreciate an email or something... I understand that has consequences also though. This also looks like a significant undertaking and I don't want to downplay those efforts or anything. Thanks for all your efforts in what up to yesterday has been a fairly good and seamless experience for me and others on my team. |
|
Perhaps for more significant changes a "change X is planned for release in N days" entry to https://devcenter.heroku.com/changelog (in addition to the one made post-release) would be visible but yet not as spammy as an email? (Anyone who doesn't want to be surprised by changes should subscribe to that feed by RSS, IMO) |
|
@jmorrell a suggestion for a simple notification system: Open an issue in the github repo titled "Breaking Changes Notifications" and just add a comment there a few days before you deploy breaking changes. Everybody who is interested can just subscribe to that issue. Since it's opt-in this should not cause any confusion. Then maybe reference that issue in this Repo's README and the heroku node.js docs. |
|
@jmorrell I set the following env variables on my app
but Heroku is still trying to install my |
|
@darrenklein That doesn't sound right. Can you open a support ticket at help.heroku.com and give me the ticket #? I'm happy to take a look |
|
@jmorrell - I have set up for my app heroku config:set NPM_CONFIG_PRODUCTION=true YARN_PRODUCTION=true NODE_ENV=production However, review apps created do not inherit these settings. Is this a bug or design? If by design, how can we enable set NPM_CONFIG_PRODUCTION=true YARN_PRODUCTION=true for review apps? |
|
@jmorrell - I guess one way I could think about that is setting them to true in app.json env section. |
|
@jmorrell I actually have a ticket open, which is how I was directed to this thread... it's ticket #560469. Here's the error log from the breaking deployment - you can see that those env variables have been set, but the package that it's breaking on is from my From the I also tried setting the buildpack to an earlier version, but it was still resulting in the same failure, which makes me think that something else may be up. Any help you can offer would be much appreciated. |
How the Gitlab ssh authentication configured? Where is the private key? Does it come from another buildpack? If this is a Review App, is it missing a config var for auth? |
|
@mars I'm answering him in a support ticket :) tl;dr - When you have a private git repo in your I'm not sure if this is a bug in npm or a limitation of its algorithm. In this case it seems like moving the git dependency to Edit: Nope, I was wrong. npm forces you to add authorization when the git repo ends up in the lockfile regardless. |
Will fix #431 by making the default behavior to:
node_modulesfor the next builddevDependenciesfromnode_modulesIf a user needs to customize this behavior, they should be able to:
Only install
dependencies, the current default behaviorYou can get this behavior by setting the following env vars:
heroku config:set NPM_CONFIG_PRODUCTION=true YARN_PRODUCTION=trueInstall both
dependenciesanddevDependenciesbut do not pruneYou can get this behavior by setting the following env vars:
heroku config:set NPM_CONFIG_PRODUCTION=false YARN_PRODUCTION=falseNODE_ENV != productionIf
NODE_ENVis not set toproduction(ex:testorstaging) then we will installdevDependenciesand skip pruning