-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider publishing with npm-shrinkwrap.json
#841
Comments
I'm pretty hesitant to do something that's "strongly discouraged". Could we get some of the same benefits if we pinned exact dependency versions in |
The reasons for it being "strongly discouraged" are the exact reasons why we want it: it ensures that it is used in the app with exactly the same deps as we test on. The npm doc writers don't like the idea that an upstream dependent of the dep can't update a transitive dependency to fix a bug. We don't really want to be able to do that without running all the comapeo-core tests on that dependency update. Pinning exact dependency versions goes a way to solving this, but not entirely. The issue in the mobile app was actually with the hypercore version depended on by corestore. It is perfectly possible that the mobile app could be using the pinned version of corestore, but the hypercore dep of corestore could be a different version (this could happen by an unsuspecting dev updating transitive deps to the latest matching semver). |
Makes sense to me!
Presumably we want to do this at release time. We wouldn't put npm-shrinkwrap.json into source control, and only include it in the final tarball. Is that what you're imagining?
|
Discussed with @ErikSin and @achou11 and agreed to move ahead with this. If there is a growth in external use of CoMapeo Core then we will look into publishing a version without shrinkwrap, but for now we will just publish a shrinkwrap version. Unsure about whether we include npm-shrinkwrap.json into source control. |
Description
npm-shrinkwrap.json
has the same functionality aspackage-lock.json
, but it is published with the package to npm. The npm docs say:However, we have seen multiple times in the past that changes to transitive dependencies break things. Our tests on
@comapeo/core
are very thorough, and should catch bugs caused by transitive dependency changes, however without anpm-shrinkwrap.json
the apps that depend on@comapeo/core
could easily be using different transitive dependencies to the ones that are tested here, and the tests in the apps are less thorough than here, which could result in runtime bugs.Publishing
npm-shrinkwrap.json
will ensure that any app using@comapeo/core
will be using exactly the same version that is tested here.Tasks
npm-shrinkwrap.json
npm-shrinkwrap.json
The text was updated successfully, but these errors were encountered: