-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
adding package-lock.json #330
Comments
I'd prefer doing it the Rust style. Only having package locks for applications, not libraries. In our case applications would be e.g. AEgir and js-ipfs. I could imagine that using package locks on our libraries would introduce a lot of overhead when updating dependencies as we would loose implicit updates, which are used a lot as we release so often. |
but those implicit updates also break things often! |
This is a rather annoying issue we hit fairly often, and it's not always easy to know where the issue is coming from.
Is there a reason for this? Is it purely overhead? I think adding
If we don't enable Greenkeeper we'd need to remember to explicitly update in range dependencies. I usually do this fairly regularly on packages I'm actively working on, but having something automatically handling that would be nice. |
Especially since implicit upgrades often break things, I think it's good to surface those as early as possible. Else you end up with lots of things to fix if you upgrade a lot of packages at the same time...
...though using Greenkeeper would certainly fix this issue I'm seeing (I have it enabled on a few Greenkeeper repos already). |
I would love to enable renovate service (greenkeeper like but with filters) where we would select only our packages and get PRs only for those, everything third party, maintainers should run npm update and update the lock. |
I'd like to use Greenkeeper (also for personal reasons, but that's a different story), but also (or perhaps even especially) for 3rd party dependencies. It's also important to know if they break. So far in IPLD I haven't had issues with too many PRs from Greenkeeper (Greenkeeper changed how it works quite a lot in recent years). Though the IPLD modules don't have that many dependencies. |
Ok so as far as I can tell,
and disadvantages:
Greenkeeper will give us back this visibility for direct dependencies (plz correct me if I'm wrong), but we'll not have visibility on breaking changes to dependencies of dependencies. So, if the only problem we're trying to solve here is speeding up pipelines then IMHO package-lock isn't the answer. I'm 👍 on greenkeeper or something like it. Now we have a stable CI, keeping dependencies up to date is going to be so much easier. I'm happy to enable it for all dependencies and dial it down if it becomes unmanageable. I'd be interested in talking through if shinkwrap is an option instead. I feel like we might be able to speed up CI as well as mitigate the pain of breaking dependencies for consumers by using this...I haven't got time just now to properly consider it but if someone has time to enumerate the advantages/disadvantages that would be helpful! |
Listing out advantages, disadvantages, and mitigations for the approaches here. Feel free to add/edit if something is missing. Package LockAdvantages
Disadvantages
ShrinkwrapAdvantages
Disadvantages
MitigationWhat can we do to mitigate the disadvantages? Both
Run daily Travis Cron builds that ignore lock/shrinkwrap on key projects. We shouldn't need to do this for everything, but things like js-ipfs and js-libp2p should leverage daily builds. This would also give us insight into nested dependency updates that break things for downstream users. Package Lock... Shrinkwrap... |
+1 for the Travis Cron workaround |
I'm concerned no-one will notice when it fails.
We already do not have in range updates in our browser builds. Adding a shrinkwrap would ensure we don't forget to update them also when security fixes happen. If |
We been talking about this again. The current plan is to have a That way it's trivial to re-create the shrinkwrap file from release tags and people installing |
Now that we are moving to travis we should talk about adding package-lock.json to the repos so the pipelines run faster.
Discuss please @ipfs/javascript-team
The text was updated successfully, but these errors were encountered: