-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
deps: vendor semver #45127
base: main
Are you sure you want to change the base?
deps: vendor semver #45127
Conversation
Review requested:
|
This comment was marked as outdated.
This comment was marked as outdated.
Is this exposing semver in any way? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
No, figured just to have it internal for now and later on a conversation on exposing it could be held if anyone wanted it to be |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe I'm missing something but I'm not in favor of adding a dependency without exposing or using it. There is an issue to which this pull request is linked, but there isn't any parent pull request which depends on/references the changes in the pull request.
This is 1 of 2 prs related to the issue linked above regarding the version checker. The second one would be the one actually using the module, which I planned on opening after this one landed. |
e13d4b0
to
e03644e
Compare
Wasn't there a version manager working group? (cc @ljharb) I remember multiple proposals being shot down because some group was working on a cross-platform approach to version management, and this seems to fit into that direction. |
There still is one; version checking is indeed something I’d expect to fall under that group. Our next step remains the same because nobody’s done the work on it yet: to catalog and unify install paths. Version checking doesn’t conflict with that, but it’s a much larger design space given versions have semver, but there’s also release lines, and also nightlies and RCs, and also unofficial builds, and also Linux distro/user customized builds. |
Forgive the newbie question, and this isn’t meant to hold up or block this PR, but is there any way to include dependencies like |
Maybe? But also imo that's a discussion out of the scope of this pr especially given the current precedent for dependencies afaik |
@GeoffreyBooth Having to fetch additional resources from the internet in order to compile a normal build of node just adds a point of failure, which is something we should try to avoid. Additionally it can make things harder to reason about when debugging related issues because you'd need to look at an external repo and figure out the version that is/was used and ensure that the code wasn't changed, etc. |
2569ab8
to
075aa69
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Why? I agree that we should not expose it to users without sign off from npm but this PR doesn't do that. It's bundled internally and not exposed to users. |
Adding don't land labels so, if it does land, it doesn't end up in a release until it's ready. |
Exactly, my point is that we don't have consensus on any use case for this commit yet. This is currently adding a dependency for something we haven't fully decided on. So in case we finally decide on not pursuing either of the use cases, this commit would get reverted and this adds more commits for no real reason IMO. |
There is, btw, precedence for this. For instance, we currently have ngtcp2 and quictls (the quic enabled fork of openssl) included as a dependency in support of the still in development quic stuff. It was added separate in order to make it easier to develop the quic stuff in smaller chunks that would hopefully be easier to review, even tho there is currently still no consensus on whether quic support actually will ultimately land. Should we decide ultimately not to pursue quic, we can very easily just remove that dependency, impacting nothing.
Commits are cheap. There is nothing that says we have to make decisions all at once. |
A question about the implementation here: What's the reason for including the source and a single file that is generated with |
I don't think anyone was opposed to having quic in Node.js, right? I thought that quic hasn't landed because the PR is still in a WIP state and it will eventually land when the work is completed and there are approvals but in this case there are folks objecting to the use cases. |
semver's |
tools/update-semver.sh
Outdated
|
||
# Bundle source into single file | ||
cd "deps/semver" | ||
"$NODE" "$NPX" esbuild@0.14.38 index.js --bundle --platform=node --outfile=semver.js |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why does this require semver
to be downloaded again? Why can't we run the esbuild
step on deps/npm/node_modules/semver/index.js
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Semver is only downloaded once, the lines you highlighted just cd into the cloned directory and run esbuild on it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mean why do we need to download the source of semver
when it already exists inside deps/npm/node_modules/semver
. Why can't we reuse that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mean why do we need to download the source of
semver
when it already exists insidedeps/npm/node_modules/semver
. Why can't we reuse that?
Oh yeah, I didn't even think of that. Should probably put the updating semver script in the npm update script as well then
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It makes sense to me to use only the version of semver that npm brings in
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should probably put the updating semver script in the npm update script
Do you mean the part of the script that generates the single file? +1 to that.
One thing to keep in mind, however, is that -- assuming this lands and assuming we make the decision to expose the/a semver api to users in the future -- there might come a time when npm could stop bundling npm and expect to get it just from node.js, at which point we'd need to bring this full script back.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should probably put the updating semver script in the npm update script as well then
Most npm PRs are automated and created with tooling from the npm/cli
repo. Is there a step that could run after one of those is merged, that would look for semver
and then bundle its source?
Also there is a chance that semver
gets deduped in the npm tree in the future. Ideally the tool could use something like npm query
to get only the version of semver that npm uses.
When run inside the npm/cli
repo:
❯ npm query ':root > #semver' | jq '.[0].location'
"node_modules/semver"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you mean the part of the script that generates the single file?
Yeah
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume semver doesn't need to be added to dep_checker anymore now that it'll be vendored through whatever version npm is using? Also, given that it wasn't already in the license file before, does it still need to be since it's being vendored? I assume yes but asking to make sure
Is there a step that could run after one of those is merged, that would look for
semver
and then bundle its source?
Are you referring to an action that would fire when a pr is merged with npm cli or something different?
❯ npm query ':root > #semver' | jq '.[0].location'
Currently not able to get this working for whatever reason but that would indeed be a good idea as well
075aa69
to
4c78c65
Compare
4c78c65
to
129ba8e
Compare
@jasnell We weren't sure what to talk about with this at the meeting today. We think it can be removed from the TSC agenda, but if I'm wrong, please add the label back. |
Yes it can be removed from the agenda. |
Vendor semver internally. This pr originated from #44942 but kept open incase there were other decisions made that needed this vendored.