Add support for npm-shrinkwrap.json

[mixonic]

The dependency checker is slightly naive, in that it presumes dependencies of dependencies do not require confirmation. We're only talking NPM here.

In practice, we've often run into cases where dependency X has a variable version specified, for example:

{
  name: "torii",
  dependencies: {
    "popup-service": "^1.0.0"
  }
}

When popup-service releases 1.0.1, it is easy to end up with some npm installs having 1.0.0 on disk and others having 1.0.1. The checker has no way to confirm what version should be installed, as that information is not stored in package.json.

Even worse is when 1.0.1 has a bug, but there is no way to force 1.0.0 without forking torii.

The npm shrinkwrap command outputs a summary of what dependencies are currently in node_modules/. There is no way to confirm that what you have node_modules/ matches npm-shrinkwrap.json, but removing the node_modules/ directory and running npm install will result in
the versions of npm-shrinkwrap.json being used.

These patches add a new dependency checker to the bower.json and package.json checkers, one that activates when npm-shrinkwrap.json is present and uses it to confirm the contents of the node_modules/ directory is correct.

The ideal way to work with this change is to run the npm shrinkwrap command and commit the resulting npm-shinkwrap.json command after every npm install of a dependency. When other developers (or a build box) pull down the changes the ember command will error if their nested dependencies are incorrect. The suggested resolution to failures is to rm -rf node_modules/ and run npm install. With a blank node_modules/ directory, npm will respect the pinned versions in npm-shrinkwrap.json.

See also the revised README.md.

[mixonic]

Testing with some Real World usage right now, getting a list for cleanup...

[mixonic]

🚀 :-D

[quaertym]

@mixonic 👍 Thanks, that's a lot of work. I will review and merge asap.

[bantic]

@quaertym Would you also be open to another PR after this that makes creating fixture directory/file-structures on a per-test basis possible? We started pushing the limits of the fixtures when we put this together.

[mixonic]

We have a followup for this after ember-cli/ember-cli#3771 lands, which you review as a diff at https://github.com/201-created/ember-cli-dependency-checker/compare/add-shrinkwrap...201-created:using-node-modules-path. This patch will add support for arbitrary node_modules/ locations to the dependency checker.

But we would like to land this first.

[rwjblue]

LGTM

[mixonic]

@quaertym I'd like to get this and the followup to it merged this week while we have it fresh in our heads, please let me know if we need to make any changes!

[quaertym]

We want to check dependencies on init, not in the included hook since only build commands invoke included. See @rwjblue 's comment on #23.

[quaertym]

@mixonic I left a few comments let's figure them out, other than those I am fine with the changes. I think this is a great addition to the dependency checker, thanks for the great work.

@bantic I'd like any PR that improves the current situation.

[mixonic]

@quaertym updated for one comment and addressed two others.

[quaertym]

@mixonic Thanks 👍

[mixonic]

🎆

[quaertym]

@mixonic Do you think we should change this updateRequired function with this https://github.com/quaertym/ember-cli-dependency-checker/blob/master/lib/package.js#L18-19?

[mixonic]

I don't believe shrinkwrap will output a file with a range, so it seems unlikely to make a difference in practice.

[quaertym]

👍 Good to know.