-
Notifications
You must be signed in to change notification settings - Fork 2.3k
NPM packages don't have pinned versions. #2555
Comments
We definitely want to look into this, perhaps urgently. My biggest question is: what do other projects that use Lerna/Yarn do about this? Also cc @davidmurdoch because I may recall your mentioning this in the past? Or was that something else? |
Also @eggplantzzz makes a strong case that this is glaringly unbelievable and warrants reproduction. |
Truffle uses Example: If
and
then
If at some point in the future
(note: I'm not sure if [transitive] dependency The Yarn doesn't actually have a mechanism for pinning dependencies for published packages and this limitation is an intentional design decision: https://yarnpkg.com/blog/2016/11/24/lockfiles-for-all/ (and is the main reason why Ganache doesn't use yarn) |
I believe it does, just to a more limited extent: {
"dependencies": {
"app-module-path": "^2.2.0",
"mocha": "5.2.0",
"original-require": "1.0.1"
},
} |
Where can one read this strong case? |
Well, I stand corrected! :-D
|
Mocha has 86 transitive dependencies! It is one of those packages that brings in the kitchen sink with it. 😢 |
It was over Zoom, in our internal Wednesday weekly ticket processing meeting. I took notes on the occurrence of the "strong case" but was unable to capture a summary. I better leave it to @eggplantzzz to summarize (if he can remember why the case seemed strong before we had all this new information) |
@davidmurdoch thank you for presenting a strong case for shrinkwrap guarantees. I believe there are other significant factors in deciding whether the benefits of those guarantees outweigh other costs:
Theoretically, we could achieve the guarantees we get in Since this all seems non-ideal, I am interested in the work that @kumavis has been doing for MetaMask with https://github.com/LavaMoat/lavamoat-browserify, although I haven't done the research to see how it impacts the consideration for Truffle. |
Incidentally, it seems maybe yarn workspaces are not meant for what we are using it for. |
Also related yarnpkg/yarn#5428 |
After some discussion we've concluded that we would like to be able to lock dependencies for each individual package. Putting this note here for whoever takes this on! |
Currently we are working on bundling all Truffle packages independently. This should lock all versions of dependencies. |
cc @benjamincburns, this can be closed when your PR is done. |
Issue
npm install @truffle/workflow-compile
will result in getting different transitive dependencies depending on what is available from NPM at install time. While this is a specific problem that can be addressed, the bigger issue is that none of the distributed NPM packages appear to include apackage-lock.json
which I believe is required by NPM in order to fetch fixed versions. Without it, dependency versions frompackage.json
will be used and any transitive dependencies will follow whatever versioning strategy they have internally.Steps to Reproduce
npm install @truffle/workflow-compile
package-lock.json
) and push to GitHub.Expected Behavior
All Truffle packages published to NPM include a
package-lock.json
file that includes a fixed set of dependencies (including transitives).Actual Results
All Truffle packages appear to be published to NPM without a
package-lock.json
file, which means dependency versions are calculated an user install time.Environment
truffle version
): 5.0.43node --version
): 12.3.0npm --version
): 6.9.0The text was updated successfully, but these errors were encountered: