-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Install devDependencies by default #519
Conversation
Would it be possible to provide an option to opt out of this? As-is this will mean we install/cache packages that we don't need. It's such a shame that |
@edmorley I intend to make it so that you can configure it to only install I believe this will be a better default for most users though. |
Agreed that it's a shame there's no concept of build dependencies (for things like build, but also CI). While this will install |
@hunterloftis I'm currently pruning after the cache is saved. Otherwise the user needs to re-download all of the build tooling again the next time. |
Ah yeah, I hadn't thought about that. Glad you have :) |
db8ce6e
to
30f5499
Compare
fi | ||
} | ||
|
||
header "Pruning devDependencies" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the terminology that npm uses, but I don't love it.
Is there a clearer way to get across "we're removing the modules defined in devDepenencies
from node_modules
"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it's the command in both yarn
and npm
, it's probably fine since that's what people will be familiar with.
@edmorley I can't tag you as a reviewer, but I'd appreciate it if you took a look :) |
@@ -211,6 +211,17 @@ cache_build() { | |||
header "Caching build" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This changes a lot of the fixture files for tests which can be mostly ignored. The important changes are found in:
bin/compile
lib/dependencies.sh
lib/environment.sh
lib/failure.sh
With tests changes in:
test/run
@@ -122,8 +122,7 @@ fail_yarn_outdated() { | |||
local log_file="$1" | |||
local yarn_engine=$(read_json "$BUILD_DIR/package.json" ".engines.yarn") | |||
|
|||
if grep -qi 'error: unknown option .--frozen-lockfile' "$log_file"; then | |||
echo "ran" | |||
if grep -qi 'error .install. has been replaced with .add. to add new dependencies' "$log_file"; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is changed because in these earlier versions adding the --production
flag changes the error message that is displayed
testNoEnvVars() { | ||
env_dir=$(mktmpdir) | ||
compile "stable-node" "$(mktmpdir)" $env_dir | ||
assertCaptured "NPM_CONFIG_PRODUCTION=true" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're no longer setting NPM_CONFIG_PRODUCTION
by default
@@ -263,10 +270,6 @@ testWarnDevDeps() { | |||
assertCaptured "A module may be missing" | |||
assertNotCaptured "This module may be specified" | |||
assertCapturedError | |||
compile "missing-devdeps-2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will no longer result in an error so I've removed it
@@ -712,7 +777,7 @@ testShrinkwrap() { | |||
compile "shrinkwrap" | |||
assertCaptured "[email protected]" | |||
assertCaptured "[email protected]" | |||
assertNotCaptured "mocha" | |||
assertCaptured "mocha@2.0.1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is now installed by default
@@ -811,6 +918,10 @@ compileTest() { | |||
for f in ${compile_dir}/.profile.d/*; do source $f > /dev/null 2> /dev/null ; done | |||
|
|||
capture ${bp_dir}/bin/test ${compile_dir} | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixes a bug in the compileTest
function that would cause subsequent tests to fail
lib/dependencies.sh
Outdated
yarn_prune_devdependencies() { | ||
local build_dir=${1:-} | ||
|
||
if [ $NODE_ENV == "test" ]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will be caught by the elif
clause below. Do we want the explicit messaging here?
local build_dir=${1:-} | ||
local npm_version=$(npm --version) | ||
|
||
if [ $NODE_ENV == "test" ]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as the yarn comment above, but wanted to point it out for completeness sake.
I ran through all the (non test) code. This looks good. I tried to find a OS X event library in node, but it looks like all file watcher libs are cross platform that are popular. I'm not sure of other platform specific libs that would only show up in node. As a suggestion to provide helpful messaging to users who builds work now but may break with this change, the buildpack can mark in the cache the buildpack version number and the success state with this PR. If the build fails and the last build was not using this buildpack and the last build was not a success, then we can display how to opt into the old functionality. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've verified that the buildpack & reference apps that I maintain deploy cleanly using this dev-dependencies-change
branch:
Thanks for your meticulous efforts on this @jmorrell 🎩
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi! I had a quick read through - looks great :-)
(Also glad there is an option for those that need to revert to the previous behaviour)
Things I noticed:
- Does
warn_missing_devdeps
in failure.sh need updating to also check forYARN_PRODUCTION
? - Can the
NPM_CONFIG_PRODUCTION
export now be removed frombin/test-compile
? - In
environment.sh
'slist_node_config
, should themcount "npm-config-production-true"
also includeYARN_PRODUCTION
(or a new count be added)?
if [ $NODE_ENV == "test" ]; then | ||
echo "Skipping because NODE_ENV is 'test'" | ||
return 0 | ||
elif [ $NODE_ENV != "production" ]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might be worth quoting the $NODE_ENV
and the various other variables in conditionals, since otherwise spurious spaces can cause a too many arguments
bash error and the wrong result.
eg:
$ NODE_ENV="foo bar"; if [ $NODE_ENV != "production" ]; then echo "not production"; else echo "production"; fi
bash: [: too many arguments
production
Fwiw shellcheck is able to find issues like this (the Python buildpack runs it on Travis):
In lib/dependencies.sh line 103:
elif [ $NODE_ENV != "production" ]; then
^-- SC2086: Double quote to prevent globbing and word splitting.
(https://github.com/koalaman/shellcheck/wiki/SC2086)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cough shellcheck is the best
Just a heads up: The silent removal of |
@Chronial I'm sorry to hear that 😓 Thank you for letting me know. I've tried to be as backward-compatible as I compatible as I could, but this is likely a breaking change for a small subset of users. If you need to test for an env var, |
Thanks, that's what we did. I think Heroku would benefit from a mechanism to notify its users about breaking changes like this before they happen. |
This also broke our deploys because we use private devDependencies. A heads up to paying customers would have been really nice instead of sending us into a panic and having to update environment variables across many applications. |
Apart from the breaking changes, thank you for this much needed change to the default behaviour of the buildpack! |
@Chronial @tomreid76 I don't disagree at all and could have done a better job here. It's a difficult balance because sending out mass emails can cause more stress and confusion than it alleviates. We saw this when sending out security notices and getting hundreds of support tickets from confused users. Thanks for the feedback, and we'll review this to figure out how we can improve messaging next time. |
@tomreid76 Can you elaborate on how private devDependencies were affected? |
Sure. We have a few private GitHub repos as devDependencies. Before, they were not installed by default when deploying (using node 6.11.x and npm 3.10.10). This is exactly how we wanted it. As of the update yesterday, Heroku started attempting install of those respective devDeps and things started blowing up because Heroku has no access. One other thing to note is that we actually have a pre-deploy step wherein we generate a versioned build artifact in Travis CI, and so our deploy to Heroku is really just a deploy since everything needed (prod dependencies) is bundled. Admittedly perhaps not the most common use case, but a "verified" artifact is important for reasons I won't get into. :) In any case, problem is solved, and so not a big deal, just in the future would have appreciate an email or something... I understand that has consequences also though. This also looks like a significant undertaking and I don't want to downplay those efforts or anything. Thanks for all your efforts in what up to yesterday has been a fairly good and seamless experience for me and others on my team. |
Perhaps for more significant changes a "change X is planned for release in N days" entry to https://devcenter.heroku.com/changelog (in addition to the one made post-release) would be visible but yet not as spammy as an email? (Anyone who doesn't want to be surprised by changes should subscribe to that feed by RSS, IMO) |
@jmorrell a suggestion for a simple notification system: Open an issue in the github repo titled "Breaking Changes Notifications" and just add a comment there a few days before you deploy breaking changes. Everybody who is interested can just subscribe to that issue. Since it's opt-in this should not cause any confusion. Then maybe reference that issue in this Repo's README and the heroku node.js docs. |
@jmorrell I set the following env variables on my app
but Heroku is still trying to install my |
@darrenklein That doesn't sound right. Can you open a support ticket at help.heroku.com and give me the ticket #? I'm happy to take a look |
@jmorrell - I have set up for my app heroku config:set NPM_CONFIG_PRODUCTION=true YARN_PRODUCTION=true NODE_ENV=production However, review apps created do not inherit these settings. Is this a bug or design? If by design, how can we enable set NPM_CONFIG_PRODUCTION=true YARN_PRODUCTION=true for review apps? |
@jmorrell - I guess one way I could think about that is setting them to true in app.json env section. |
@jmorrell I actually have a ticket open, which is how I was directed to this thread... it's ticket #560469. Here's the error log from the breaking deployment - you can see that those env variables have been set, but the package that it's breaking on is from my
From the
I also tried setting the buildpack to an earlier version, but it was still resulting in the same failure, which makes me think that something else may be up. Any help you can offer would be much appreciated. |
How the Gitlab ssh authentication configured? Where is the private key? Does it come from another buildpack? If this is a Review App, is it missing a config var for auth? |
@mars I'm answering him in a support ticket :) tl;dr - When you have a private git repo in your I'm not sure if this is a bug in npm or a limitation of its algorithm. In this case it seems like moving the git dependency to Edit: Nope, I was wrong. npm forces you to add authorization when the git repo ends up in the lockfile regardless. |
Will fix #431 by making the default behavior to:
node_modules
for the next builddevDependencies
fromnode_modules
If a user needs to customize this behavior, they should be able to:
Only install
dependencies
, the current default behaviorYou can get this behavior by setting the following env vars:
heroku config:set NPM_CONFIG_PRODUCTION=true YARN_PRODUCTION=true
Install both
dependencies
anddevDependencies
but do not pruneYou can get this behavior by setting the following env vars:
heroku config:set NPM_CONFIG_PRODUCTION=false YARN_PRODUCTION=false
NODE_ENV != production
If
NODE_ENV
is not set toproduction
(ex:test
orstaging
) then we will installdevDependencies
and skip pruning