build(deps): pin ALL dependency versions in package.json files 2023-07-24 #2574
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
petermetz
requested review from
takeutak,
izuru0,
jagpreetsinghsasan,
VRamakrishna and
sandeepnRES
as code owners
petermetz
force-pushed
the
petermetz/issue2571
branch
9 times, most recently
from
cefe5db
to
1e729e7
Compare
…7-24 1. Replaced all tilde and caret characters in package.json files with nothing so that all versions are pinned down for safety and stability of the build/publishing process. 2. On top of just removing the tildes and carets, I also upgraded the declared versions to whatever their caret upgrades would've been (e.g. performed minor upgrades on all the versions). This is important because this is how we achieve parity with the actual dependencies that were used by the code prior to this PR - this also highlights why it is necessary to have reproducible builds and pinned versions: because without it one has no actual answer to the question of "So what dependencies does your code need to function exactly?" 4. Removed the jasmine types from the root package because they were causing build problems with the weaver tsc compilation. The proper, longer term solution here is to make the weaver packages' tsc configuration on-boarded to the monorepo structure, but I did not want to blow up this commit to be 10x the current size just because of this. I opened a couple of issues regarding this. 5. I added protobufjs as a dev dependency to the API server package because artillery suddenly stopped working when grpcjs was upgraded and it was complaining that one of its dependencies (protobufjs) cannot be imported. 6. I added the protocol buffer compiler to the dev container. 7. Added a new VSCode extension to the list of recommended ones because I found it extremely useful while performing the minor upgrades in the dozens of package.json files (100+ dependencies in total). Why? Because all the other tooling that exists in the NodeJS ecosystem assumes that doing major upgrades on dependencies in batch is the only thing needed. None of the tools are able to do a minor upgrades only mass upgrade operation, even the ones that claim this as a feature do not have it. 8. I synced the list of recommended VSCode extensions to the dev container definition file so that the same extensions get installed automatically in the container as well. Fixes hyperledger-cacti#2571 Signed-off-by: Peter Somogyvari <[email protected]>
petermetz
force-pushed
the
petermetz/issue2571
branch
from
1e729e7
to
60db2b5
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
files with nothing so that all versions are pinned down
for safety and stability of the build/publishing process.
declared versions to whatever their caret upgrades would've been (e.g.
performed minor upgrades on all the versions). This is important because
this is how we achieve parity with the actual dependencies that were used
by the code prior to this PR - this also highlights why it is necessary to
have reproducible builds and pinned versions: because without it one has
no actual answer to the question of "So what dependencies does your code
need to function exactly?"
were causing build problems with the weaver tsc compilation.
The proper, longer term solution here is to make the weaver packages'
tsc configuration on-boarded to the monorepo structure, but I did not want
to blow up this commit to be 10x the current size just because of this.
I opened a couple of issues regarding this.
artillery suddenly stopped working when grpcjs was upgraded and it was
complaining that one of its dependencies (protobufjs) cannot be imported.
I found it extremely useful while performing the minor upgrades in the
dozens of package.json files (100+ dependencies in total). Why? Because
all the other tooling that exists in the NodeJS ecosystem assumes that
doing major upgrades on dependencies in batch is the only thing needed.
None of the tools are able to do a minor upgrades only mass upgrade
operation, even the ones that claim this as a feature do not have it.
definition file so that the same extensions get installed automatically
in the container as well.
Fixes #2571
Signed-off-by: Peter Somogyvari [email protected]