Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deps: vendor semver #45127

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Conversation

flakey5
Copy link
Member

@flakey5 flakey5 commented Oct 22, 2022

Vendor semver internally. This pr originated from #44942 but kept open incase there were other decisions made that needed this vendored.

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/tsc

@nodejs-github-bot nodejs-github-bot added build Issues and PRs related to build files or the CI. dependencies Pull requests that update a dependency file. meta Issues and PRs related to the general management of the project. needs-ci PRs that need a full CI run. labels Oct 22, 2022
tools/update-semver.sh Outdated Show resolved Hide resolved
@nodejs-github-bot

This comment was marked as outdated.

@mcollina
Copy link
Member

Is this exposing semver in any way?

Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@flakey5
Copy link
Member Author

flakey5 commented Oct 22, 2022

Is this exposing semver in any way?

No, figured just to have it internal for now and later on a conversation on exposing it could be held if anyone wanted it to be

Copy link
Member

@anonrig anonrig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe I'm missing something but I'm not in favor of adding a dependency without exposing or using it. There is an issue to which this pull request is linked, but there isn't any parent pull request which depends on/references the changes in the pull request.

@flakey5
Copy link
Member Author

flakey5 commented Oct 22, 2022

Maybe I'm missing something but I'm not in favor of adding a dependency without exposing or using it. There is an issue to which this pull request is linked, but there isn't any parent pull request which depends on/references the changes in the pull request.

This is 1 of 2 prs related to the issue linked above regarding the version checker. The second one would be the one actually using the module, which I planned on opening after this one landed.

@flakey5 flakey5 force-pushed the flakey5/vendor-semver branch from e13d4b0 to e03644e Compare October 22, 2022 21:05
@tniessen
Copy link
Member

Wasn't there a version manager working group? (cc @ljharb)

I remember multiple proposals being shot down because some group was working on a cross-platform approach to version management, and this seems to fit into that direction.

@ljharb
Copy link
Member

ljharb commented Oct 22, 2022

There still is one; version checking is indeed something I’d expect to fall under that group. Our next step remains the same because nobody’s done the work on it yet: to catalog and unify install paths. Version checking doesn’t conflict with that, but it’s a much larger design space given versions have semver, but there’s also release lines, and also nightlies and RCs, and also unofficial builds, and also Linux distro/user customized builds.

@GeoffreyBooth
Copy link
Member

Forgive the newbie question, and this isn’t meant to hold up or block this PR, but is there any way to include dependencies like semver (and postject in that similar PR) only at build time, without needing to include them in the node repo? We could host their repos under github.com/nodejs, and the binaries would pull them in as part of the build script.

@jasnell
Copy link
Member

jasnell commented Oct 23, 2022

To be clear, this PR is just about adding the version check notification discussed in #44942 ... It is not about adding a version manager.

@flakey5 ... As I mentioned to you, it would be good to add a basic unit test here that validates that the dep does in fact exist and work

@flakey5
Copy link
Member Author

flakey5 commented Oct 23, 2022

Forgive the newbie question, and this isn’t meant to hold up or block this PR, but is there any way to include dependencies like semver (and postject in that similar PR) only at build time, without needing to include them in the node repo? We could host their repos under github.com/nodejs, and the binaries would pull them in as part of the build script.

Maybe? But also imo that's a discussion out of the scope of this pr especially given the current precedent for dependencies afaik

@mscdex
Copy link
Contributor

mscdex commented Oct 23, 2022

@GeoffreyBooth Having to fetch additional resources from the internet in order to compile a normal build of node just adds a point of failure, which is something we should try to avoid.

Additionally it can make things harder to reason about when debugging related issues because you'd need to look at an external repo and figure out the version that is/was used and ensure that the code wasn't changed, etc.

@flakey5 flakey5 force-pushed the flakey5/vendor-semver branch 2 times, most recently from 2569ab8 to 075aa69 Compare October 23, 2022 03:48
@nodejs-github-bot

This comment was marked as outdated.

@jasnell jasnell added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Oct 25, 2022
@nodejs-github-bot
Copy link
Collaborator

@jasnell
Copy link
Member

jasnell commented Oct 26, 2022

We should not ship this without explicit sign off from https://github.com/orgs/nodejs/teams/npm

Why? I agree that we should not expose it to users without sign off from npm but this PR doesn't do that. It's bundled internally and not exposed to users.

@jasnell jasnell added dont-land-on-v16.x dont-land-on-v18.x PRs that should not land on the v18.x-staging branch and should not be released in v18.x. labels Oct 26, 2022
@jasnell
Copy link
Member

jasnell commented Oct 26, 2022

Adding don't land labels so, if it does land, it doesn't end up in a release until it's ready.

@RaisinTen
Copy link
Contributor

I see no reason to block this PR. The discussion about whether to expose the API is an entirely separate conversation. This PR does not expose the API. It has no outward impact whatsoever. If we decide ultimately not to do the version check, it can easily be removed without any impact to anyone. If there are concerns about it ending up in a release until that decision is made, we can add don't land flags on the pr.

Exactly, my point is that we don't have consensus on any use case for this commit yet. This is currently adding a dependency for something we haven't fully decided on. So in case we finally decide on not pursuing either of the use cases, this commit would get reverted and this adds more commits for no real reason IMO.

@jasnell jasnell removed the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Oct 26, 2022
@jasnell
Copy link
Member

jasnell commented Oct 26, 2022

Exactly, my point is that we don't have consensus on any use case for this commit yet. This is currently adding a dependency for something we haven't fully decided on.

There is, btw, precedence for this. For instance, we currently have ngtcp2 and quictls (the quic enabled fork of openssl) included as a dependency in support of the still in development quic stuff. It was added separate in order to make it easier to develop the quic stuff in smaller chunks that would hopefully be easier to review, even tho there is currently still no consensus on whether quic support actually will ultimately land. Should we decide ultimately not to pursue quic, we can very easily just remove that dependency, impacting nothing.

... this adds more commits for no real reason IMO.

Commits are cheap. There is nothing that says we have to make decisions all at once.

@lukekarrys
Copy link
Member

A question about the implementation here:

What's the reason for including the source and a single file that is generated with esbuild? If I'm reading it right, the generated file is what gets returned from internal/deps/semver/semver. But there shouldn't be any functional difference between the generated file and semver's index.js file.

@RaisinTen
Copy link
Contributor

even tho there is currently still no consensus on whether quic support actually will ultimately land

I don't think anyone was opposed to having quic in Node.js, right? I thought that quic hasn't landed because the PR is still in a WIP state and it will eventually land when the work is completed and there are approvals but in this case there are folks objecting to the use cases.

@RaisinTen
Copy link
Contributor

But there shouldn't be any functional difference between the generated file and semver's index.js file.

semver's index.js file has relative require calls but the require() used in the internal files of node doesn't support that. See nodejs/undici#1183 (comment).


# Bundle source into single file
cd "deps/semver"
"$NODE" "$NPX" esbuild@0.14.38 index.js --bundle --platform=node --outfile=semver.js
Copy link
Contributor

@RaisinTen RaisinTen Oct 27, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why does this require semver to be downloaded again? Why can't we run the esbuild step on deps/npm/node_modules/semver/index.js?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semver is only downloaded once, the lines you highlighted just cd into the cloned directory and run esbuild on it

Copy link
Contributor

@RaisinTen RaisinTen Oct 27, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean why do we need to download the source of semver when it already exists inside deps/npm/node_modules/semver. Why can't we reuse that?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean why do we need to download the source of semver when it already exists inside deps/npm/node_modules/semver. Why can't we reuse that?

Oh yeah, I didn't even think of that. Should probably put the updating semver script in the npm update script as well then

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It makes sense to me to use only the version of semver that npm brings in

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should probably put the updating semver script in the npm update script

Do you mean the part of the script that generates the single file? +1 to that.

One thing to keep in mind, however, is that -- assuming this lands and assuming we make the decision to expose the/a semver api to users in the future -- there might come a time when npm could stop bundling npm and expect to get it just from node.js, at which point we'd need to bring this full script back.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should probably put the updating semver script in the npm update script as well then

Most npm PRs are automated and created with tooling from the npm/cli repo. Is there a step that could run after one of those is merged, that would look for semver and then bundle its source?

Also there is a chance that semver gets deduped in the npm tree in the future. Ideally the tool could use something like npm query to get only the version of semver that npm uses.

When run inside the npm/cli repo:

❯ npm query ':root > #semver' | jq '.[0].location'
"node_modules/semver"

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean the part of the script that generates the single file?

Yeah

Copy link
Member Author

@flakey5 flakey5 Oct 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume semver doesn't need to be added to dep_checker anymore now that it'll be vendored through whatever version npm is using? Also, given that it wasn't already in the license file before, does it still need to be since it's being vendored? I assume yes but asking to make sure

Is there a step that could run after one of those is merged, that would look for semver and then bundle its source?

Are you referring to an action that would fire when a pr is merged with npm cli or something different?

❯ npm query ':root > #semver' | jq '.[0].location'

Currently not able to get this working for whatever reason but that would indeed be a good idea as well

tools/update-npm.sh Outdated Show resolved Hide resolved
@Trott
Copy link
Member

Trott commented Nov 9, 2022

@jasnell We weren't sure what to talk about with this at the meeting today. We think it can be removed from the TSC agenda, but if I'm wrong, please add the label back.

@Trott Trott removed the tsc-agenda Issues and PRs to discuss during the meetings of the TSC. label Nov 9, 2022
@jasnell
Copy link
Member

jasnell commented Nov 10, 2022

Yes it can be removed from the agenda.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
build Issues and PRs related to build files or the CI. dependencies Pull requests that update a dependency file. dont-land-on-v18.x PRs that should not land on the v18.x-staging branch and should not be released in v18.x. meta Issues and PRs related to the general management of the project. needs-ci PRs that need a full CI run.
Projects
None yet
Development

Successfully merging this pull request may close these issues.