Comments (9)
shrinkwrap? Although i remember there was some issues with it.
This apparently saves some dangerous/places a release could go wrong situation
Was there a precedent?
from jquery-release.
We can just have the release script install its own dependencies as the first step.
from jquery-release.
Sure. There are definitely disadvantages with having it in the repo.
from jquery-release.
Most dependencies are nailed to a specific version which is good, so having it install dependencies should be relatively low risk.
from jquery-release.
Most dependencies are nailed to a specific version which is good, so having it install dependencies should be relatively low risk.
The problem is that only direct dependencies are specified this way. You can't count on npm install
done some time later producing the same dependency tree.
I think that it's going to create problems for cross platform if the deps ever end up with compiled gyp modules for instance.
This is supposed to be taken care of by node-gyp rebuild
. That said, npm@3
will dedupe by default so the current tree won't be what it'd produce; the logical dependency tree will be decoupled from the directory one. I'm not sure how it'll play with dep structure created via [email protected]
or 2.x
(perhaps @othiym23 would know more).
Shrinkwrap was created for this use case. It still has some problems, e.g. it doesn't warn against mismatches between package.json
& npm-shrinkwrap.json
(it just ignores the former), it doesn't work with npm install --save
out of the box etc. This, again, should be taken care of in the nearby future but we're not there yet.
from jquery-release.
@dmethvin that assumes any dependencies of our dependencies use fixed versions. This is generally not true.
from jquery-release.
@arschmitz @mzgol Oh yeah I always forget that you're only as unvarying as your sloppiest dependency. Shrinkwrap may be a safer option.
from jquery-release.
@dmethvin @arschmitz fixed deps are not ideal, but it has is a very low risk that the same features of the dependancy wouldn't work the same way, since deps of the dep are encapsulated.
I wonder if somebody actually face any inconsistencies with fixed deps, yeah, theoretically it's possible, but practically?
I think if there wasn't any issues with it, we shouldn't try to fix something that's not broken. shrinkwrap is pretty radical.
from jquery-release.
I would recommend testing shrinkwrap as a group and seeing how you feel about the result. @mzgol is right in that we're making some improvements to shrinkwrap in npm@3
, and he's also right that it's probably going to be a little while until npm@3
is stable enough for this use case. In the meantime, if there are bugs that block you using it to distribute jQuery, we're happy to work with you to smooth out those edges (especially if there are patches included).
Because npm has to bootstrap itself, all its production dependencies are bundledDependences
and checked into Git; it also doesn't / can't have any native modules in the dependencies. Those two constraints sort of cancel each other out, but there are special tests cases to ensure that node_modules
is in sync with both bundledDependencies
and dependencies
. In practice, this is a pretty low-key workflow, and it ensures that everyone doing releases is releasing the same bits, but it doesn't play very nice with native modules and does require a certain amount of extra discipline.
from jquery-release.
Related Issues (20)
- Automating releases with GitHub workflows HOT 4
- Can't check credentials for unpublished projects
- Replace Release.project
- Make CDN publishing optional HOT 4
- _updateBranchVersion: Don't touch bower.json
- Support keywords for npm publishing HOT 1
- 404-ing links in README HOT 18
- Please use `chalk` instead of `colors.js` HOT 7
- Signature refresh may not be working. HOT 1
- npm-tag is deprecated HOT 2
- Tests? HOT 22
- why the `unique()`? HOT 3
- GitHub changelog generation breaks on pre releases
- Repo: core no longer includes license URLs in package.json
- changelog task failing on exceeded API rate HOT 2
- create tag triggers commit hooks HOT 6
- current version not properly calculated on windows HOT 3
- Limit changelog for pre-releases HOT 1
- use `npm ci` instead of `npm install` to get locked dependecies HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jquery-release.