Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RRFC] remove npm-shrinkwrap.json from the list of unignorable files #511

Open
ljharb opened this issue Jan 17, 2022 · 5 comments
Open

[RRFC] remove npm-shrinkwrap.json from the list of unignorable files #511

ljharb opened this issue Jan 17, 2022 · 5 comments
Labels
semver:major backwards-incompatible breaking changes

Comments

@ljharb
Copy link
Contributor

ljharb commented Jan 17, 2022

Motivation ("The Why")

I have npm-shrinkwrap.json in both .gitignore and .npmignore on basically all of my repos. However, I unknowingly broke ls-engines when I published it, not realizing that the npm-shrinkwrap.json i'd been playing with would be published despite being explicitly ignored.

Possible solutions

  • allow npm-shrinkwrap.json to be npmignored
  • fail a publish when an unignorable file is explicitly ignored, via "files" or ".npmignore" or ".gitignore"

The upsides

  • it would be much harder to accidentally break consumers by publishing a shrinkwrap (something that's a long-standing bad practice anyways)

The downsides

  • someone who wants to publish a shrinkwrap would only be able to do so if they weren't already explicitly ignoring it.

Can anyone provide any scenario where making one of the above changes would pose problems for someone?
@darcyclarke darcyclarke added semver:major backwards-incompatible breaking changes Agenda will be discussed at the Open RFC call labels Jan 17, 2022
@darcyclarke darcyclarke mentioned this issue Jan 19, 2022
Closed
@dominykas
Copy link

Shouldn't a package-lock be used in the case of a shrinkwrap you don't want published?

@ljharb
Copy link
Contributor Author

ljharb commented Jan 19, 2022

@dominykas yes, when such a lockfile is intentionally present. In my case, my package actually interacts with other projects' shrinkwrap files, so I'd generated one for testing - but because it was in npmignore, I assumed it would be ignored by npm.

This was referenced Jan 26, 2022
Closed
Closed
@darcyclarke darcyclarke mentioned this issue Feb 9, 2022
Closed
@darcyclarke darcyclarke removed the Agenda will be discussed at the Open RFC call label Feb 9, 2022
@ruyadorno
Copy link
Contributor

following up from our OpenRFC talk today: npm-shrinkwrap.json being part of the list of unignorable files is a long standing contract that is expected by (at least) some subset of the ecosystems that npm caters to. I'm on the side that completely removing it from that list is too much of a breaking change for too little of an upside (from my pov the subset of package authors that would publish a package containing a npm-shrinkwrap.json unintentionally is much smaller than the subset of package authors intentionally using it).

On the other hand I'm open to the alternative of making it ignorable via adding to .npmignore (and/or possibly .gitignore) - if the file is listed there it looks to me that the user intent is very clear.

@ljharb
Copy link
Contributor Author

ljharb commented Feb 9, 2022

I remain convinced that the subset of the infinitesimal number of packages intentionally published with a shrinkwrap file, using files, and not explicitly including it in files, is in the single digits, but I understand it would still technically be a breaking change.

@darcyclarke darcyclarke mentioned this issue Mar 17, 2022
Closed
32 tasks
@ljharb ljharb mentioned this issue Mar 18, 2022
Closed
@ljharb
Copy link
Contributor Author

ljharb commented Mar 18, 2022

ref npm/statusboard#459

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
semver:major backwards-incompatible breaking changes
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ljharb @ruyadorno @darcyclarke @dominykas