Make dependencies more deterministic

[Hypnosphi]

• stop .gitignoreing yarn.locks
• use exact dependencies in package bootstrapped with npm
• adjust docs to use yarn in first place

[codecov]

Codecov Report

Merging #1703 into release/3.3 will not change coverage.
The diff coverage is n/a.

@@             Coverage Diff              @@
##           release/3.3    #1703   +/-   ##
============================================
  Coverage        23.12%   23.12%           
============================================
  Files              253      253           
  Lines             5756     5756           
  Branches           677      674    -3     
============================================
  Hits              1331     1331           
- Misses            3943     3946    +3     
+ Partials           482      479    -3

Impacted Files	Coverage Δ
app/vue/src/server/utils.js	0% <0%> (-32.15%)	⬇️
lib/ui/src/modules/ui/routes.js	0% <0%> (ø)	⬆️
lib/ui/src/modules/ui/components/layout/usplit.js	38.7% <0%> (ø)	⬆️
...ponents/left_panel/stories_tree/tree_decorators.js	33.33% <0%> (ø)	⬆️
lib/ui/src/libs/key_events.js	23.25% <0%> (ø)	⬆️
lib/components/src/navigation/menu_link.js	0% <0%> (ø)	⬆️
addons/knobs/src/components/PropField.js	10.86% <0%> (ø)	⬆️
addons/info/src/components/Props.js	37.2% <0%> (ø)	⬆️
addons/info/src/components/PropTable.js	21% <0%> (ø)	⬆️
...s/left_panel/stories_tree/tree_decorators_utils.js	45.23% <0%> (ø)	⬆️
... and 10 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6f5b71c...fab716f. Read the comment docs.

[danielduan]

We should be impartial and publish a package-lock.json as well imo. There's been problems with npm respecting their own lock files but that's been fixed in [email protected].

[Hypnosphi]

This will require running bootstrap two times (using yarn and npm) each time we add or change a dependency

[shilman]

Personally I'm fed up with NPM and would like to just encourage yarn across the board for developing this project. Better platform and much easier than supporting both. Of course end users are welcome to use whatever they want. Thoughts?

[danielduan]

I definitely see the concern here and I think yarn is 100% the better package installer. Keeping backward compatibility with npm is the worst. If we're gonna proceed with yarn for the package installer of choice, we should make that very clear and keep to it.

When we phrase it, maybe it should say You should use 'yarn' as your package manager when developing Storybook.

[Hypnosphi]

I don't think that we should push this hard. If you use npm after this change your experience will be the same as it is now for everybody =) But if you use yarn, it'll be better

[danielduan]

I think the only time someone will actually use the raw npm or yarn command is when doing npm link to link to an external project and npm install --save to add a new dependency. In the new dependency case, we should definitely use yarn since that will actually update the lock file.

I think for simplicity sake, we should just tell contributors to use yarn. I would love to support npm but the unnecessary complexity is really not worth it.

[Hypnosphi]

npm install --save

You can't do that with lerna

[Hypnosphi]

since that will actually update the lock file.

It will be updated after bootstrapping, which should be done anyway

[Hypnosphi]

By the way, workspaces feature just became not experimental: yarnpkg/yarn#4262

If we use it, there will be more sense in stating that we have a yarn-only setup. I'd prefer to introduce it in a separate PR, but I can adjust the wording here if we decide to go that way

[ndelangen]

We develop storybook using yarn.

If someone wants to install the root with npm, that's of no consequence..
The bootstrap script will use yarn.

We'll assume everyone uses yarn to develop storybook in our documentation.

[danielduan]

I really don't see the benefit of locking our example apps. If a new minor version is released that breaks something, we really have no way of knowing. I know a few of us run these example apps to test if anything breaks before merging or publishing.

I think it's totally valid if we have separate example apps with version numbers locked for different version of react to test though.

[Hypnosphi]

Sounds like quite a separate issue. It's good to check that things keep being compatible with latest version, but this check should run on master not on PRs. Because if a new react-native release breaks things, it's master what should be fixed

[ndelangen]

I understand your reasoning @Hypnosphi.

Generally I'd rather have errors all over the place when we're not compatible with latest.
This will keep us alert and nudges us to resolve it quickly.

It's annoying for PR's but PR branches can always lock it down if the problem comes up.

Having said that, I think in the case of ReactNative we want to be extra cautious. Reactnative itself is on the 0.x.y versioning and is actually using pre-released version of other packages. Locking them down sounds sane.

I'm really interested in what @shilman @tmeasday think about this.

[shilman]

Definitely on the side of keeping up with latest. It will cause some headaches occasionally, but overall I think it will help us much more than it will hurt us.

[Hypnosphi]

@ndelangen @shilman isn’t it a task for greenkeeper or similar tool?

[danielduan]

this should probably be updated to yarn run bootstrap:core

[Hypnosphi]

Probably in another PR? Upstream branch has npm run bootstrap -- --core

[Hypnosphi]

By the way, it's only by fortune that those are the same things in case of core.
For example, yarn run bootstrap -- --react-native-vanilla is not the same as yarn run bootstrap:react-native-vanilla. Looks like only the bootstrap command should be called immediately. @ndelangen, please correct me if I'm wrong

[ndelangen]

@danielduan The way it is, is fine. We want people to use the bootstrap script. It's superior to remembering a list of npm script and that way we can change how we order our npm script.

[ndelangen]

This looks broken to me?

[Hypnosphi]

Yeah, looks like a merge artifact

[ndelangen]

yarn dev

[Hypnosphi]

Ok, I just wrote verbose versions of commands so that it's easilly mapped to npm. If we go all the way yarn, I'll use shorthands

[ndelangen]

yarn storybook

[Hypnosphi]

I switched all the scripts in CI to use yarn

[ndelangen]

I have tested

• the bootstrapping process
• the cra-kitchen-sink
• the vue-kitchen-sink
• the react-native-vanilla example

[ndelangen]

I understand your reasoning @Hypnosphi.

Generally I'd rather have errors all over the place when we're not compatible with latest.
This will keep us alert and nudges us to resolve it quickly.

It's annoying for PR's but PR branches can always lock it down if the problem comes up.

Having said that, I think in the case of ReactNative we want to be extra cautious. Reactnative itself is on the 0.x.y versioning and is actually using pre-released version of other packages. Locking them down sounds sane.

I'm really interested in what @shilman @tmeasday think about this.

[danielduan]

Any reason why this is not being merged into master instead of 3.3?

Seems like this is mostly contributor and documentation oriented changes.

[tmeasday]

Doesn't lerna end up using npm inside the packages when bootstrap --hoist-ing?

Apart from that I am keen on this change.

[Hypnosphi]

@tmeasday why do you think it's so?

[tmeasday]

@Hypnosphi I believe they need to run npm --global-style and yarn does not offer that functionality lerna/lerna#852

Luckily npm is smart enough to completely ignore your package.json depending on your package-lock.json so good times are hard by all thanks to this feature and the fact that we aren't checking in package-lock.jsons. /sarcasm

[Hypnosphi]

all your package's yarn.lock files will be ignored

Looks like we don't have those

[tmeasday]

Looks like we don't have those

Right but npm5 has package-lock.json, which is also currently gitignored

[Hypnosphi]

Ok, looks like non-hoistable dependencies rest uncovered by this change. I don't think it's a stopper

[tmeasday]

Agreed, although if you can figure out a solution it'd be great ;)

[Hypnosphi]

We can try yarn workspaces for bootstrapping =)

[shilman]

@Hypnosphi have not had success with yarn workspaces yet (it hoisted so aggressively that it caused problems in my project like lack of .bin directories in my sub-projects) but if you can get something working well i'd definitely love to see it and migrate eventually (if it works well and everybody else is on board)

[Hypnosphi]

I’d wait for upcoming 1.0 release first

[tmeasday]

Yeah, I think when workspaces does what we need, combined with @ndelangen's hoisting script, I think we'll be good. For now, this is a big improvement, right?