Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider publishing with npm-shrinkwrap.json #841

Open
2 tasks
gmaclennan opened this issue Sep 19, 2024 · 4 comments
Open
2 tasks

Consider publishing with npm-shrinkwrap.json #841

gmaclennan opened this issue Sep 19, 2024 · 4 comments

Comments

@gmaclennan
Copy link
Member

Description

npm-shrinkwrap.json has the same functionality as package-lock.json, but it is published with the package to npm. The npm docs say:

It's strongly discouraged for library authors to publish this file, since that would prevent end users from having control over transitive dependency updates.

However, we have seen multiple times in the past that changes to transitive dependencies break things. Our tests on @comapeo/core are very thorough, and should catch bugs caused by transitive dependency changes, however without a npm-shrinkwrap.json the apps that depend on @comapeo/core could easily be using different transitive dependencies to the ones that are tested here, and the tests in the apps are less thorough than here, which could result in runtime bugs.

Publishing npm-shrinkwrap.json will ensure that any app using @comapeo/core will be using exactly the same version that is tested here.

Tasks

  • Agree whether we want to publish npm-shrinkwrap.json
  • Publish a new version of the package with npm-shrinkwrap.json
@EvanHahn
Copy link
Contributor

I'm pretty hesitant to do something that's "strongly discouraged". Could we get some of the same benefits if we pinned exact dependency versions in package.json? That wouldn't cover sub-dependencies but might be enough for us.

@gmaclennan
Copy link
Member Author

The reasons for it being "strongly discouraged" are the exact reasons why we want it: it ensures that it is used in the app with exactly the same deps as we test on. The npm doc writers don't like the idea that an upstream dependent of the dep can't update a transitive dependency to fix a bug. We don't really want to be able to do that without running all the comapeo-core tests on that dependency update.

Pinning exact dependency versions goes a way to solving this, but not entirely. The issue in the mobile app was actually with the hypercore version depended on by corestore. It is perfectly possible that the mobile app could be using the pinned version of corestore, but the hypercore dep of corestore could be a different version (this could happen by an unsuspecting dev updating transitive deps to the latest matching semver).

@EvanHahn
Copy link
Contributor

EvanHahn commented Sep 19, 2024 via email

@gmaclennan
Copy link
Member Author

Discussed with @ErikSin and @achou11 and agreed to move ahead with this. If there is a growth in external use of CoMapeo Core then we will look into publishing a version without shrinkwrap, but for now we will just publish a shrinkwrap version. Unsure about whether we include npm-shrinkwrap.json into source control.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants
@gmaclennan @EvanHahn and others