Hi, All: As I mentioned in the architecture meeting, I have been thinking about how to transition to committing the lock files for yarn and/or npm@5 to our repos. Once we start accepting yarn.lock or package-lock.json files in repositories, we need to ensure that these are actually kept up to date, even if some of us are running another version and/or package manager.
To me, the natural place to address this is in running tests in QI. There should be a failure if the lock file does not match the dependencies, and the failure should be visible as part of PRs under review. On this front, yarn gives us better options. Commands like "yarn outdated" explicitly fail if your dependencies don't match the lock file. They even have an explicit "yarn check" command <https://yarnpkg.com/lang/en/docs/cli/check/> which seems purpose-built to answer this question. Those guard against things like manually editing your package.json or pulling changes via git without rerunning "yarn install". What we want is to avoid letting "yarn install" generate a new lock file. Thankfully "yarn install" supports "--frozen-lockfile" option that will throw an error if the package.json and yarn.lock are out of sync. With npm@5, we don't have a check command or the ability to throw an error if the lock file doesn't match the package.json file. My initial thought is that we could run "npm install" and check to see if the lock file has been updated. As we are working with git repositories, one option might be to check the output of "git status --porcelain" <https://stackoverflow.com/questions/5139290/how-to-check-if-theres-nothing-to-be-committed-in-the-current-branch> after running the install. Even if we decide to use yarn, we might still want to add this kind of check, as it also guards against sloppiness in failing to update our .gitignore to screen out build artifacts, test reports, et cetera. Anyway, not arguing for either yarn or npm@5 here, just pointing out a key concern and sharing an idea that should allow some of us to exercise our work with yarn or npm@5 without requiring the rest to immediately switch. Cheers, Tony On Thu, Jun 1, 2017 at 11:48 AM, Tony Atkins <[email protected]> wrote: > Hi, All. > > I'm sure a few of you have seen this already, but I thought I'd use it as > a chance to resume our discussions regarding next-gen package management, > which previously focused on yarn. The new version of npm seems to be > pulling in a few yarn-like improvements (lock files, better speed). It > seems like the one practical change is committing a new type of lock file. > We'd want to confirm that the new lock files are ignored by earlier > versions of npm, which is pretty easy to confirm in Vagrant tests. > > On that note, I'm volunteering to try this out for a while. My ground > rules for myself are that whatever changes I commit related to the new > version, I only expect reviewers to accept and merge if the tests keep > passing in Vagrant and the version of npm included in the "Apps" images > (currently 3.10.8). If these are horrible or incomplete ground rules, > please comment. > > Also, if anyone else wants to join me, please reply so I know whom to > mention in chats on IRC. I'd particularly love to enlist someone who uses > Windows as their daily driver, as there have been multiple issues unique to > that environment in the past (I'm looking at you, leveldown). > > Cheers, > > > Tony > > ---------- Forwarded message ---------- > From: Isaac Schlueter <[email protected]> > Date: Wed, May 31, 2017 at 5:06 PM > Subject: announcing npm@5 > To: [email protected] > > > Hi! > > Starting today, typing `npm install npm@latest -g` will update you to npm > version 5.0.1. > > npm@5 is all new and packed with performance, reliability, and usability > improvements we know you’ll love. These include a new approach to > lockfiles, more robust caching, and incredible speed — for many common > tasks, npm@5 is up to *5x* faster than previous versions. > > The update is available now and we recommend it for everyone. Whether > you’re finding open source packages on the npm Registry, organizing your > team’s code with Orgs > <http://s2030806319.t.en25.com/e/er?utm_campaign=2017-05-31%20npm%405%20all-sub%20email&utm_medium=email&utm_source=Eloqua&s=2030806319&lid=117&elqTrackId=39916DE6512B37FD8BBCF2D1E413B114&elq=b465a4f2f0f8488981d3180948b7e71c&elqaid=350&elqat=1>, > or installing apps behind your firewall with npm Enterprise > <https://npmjs.com/enterprise?utm_campaign=2017-05-31%20npm%405%20all-sub%20email&utm_medium=email&utm_source=Eloqua&utm_source=Eloqua&utm_medium=email&utm_campaign=20170531&elqTrackId=5B7A39B30E640E56C0C318F9225A04A0&elq=b465a4f2f0f8488981d3180948b7e71c&elqaid=350&elqat=1&elqCampaignId=107>, > npm@5 will make it faster and easier than ever to build amazing things. > > You can learn more about npm@5 here > <http://s2030806319.t.en25.com/e/er?utm_campaign=2017-05-31%20npm%405%20all-sub%20email&utm_medium=email&utm_source=Eloqua&s=2030806319&lid=116&elqTrackId=B90694C8BE3137E70040E0F3EFC1DF23&elq=b465a4f2f0f8488981d3180948b7e71c&elqaid=350&elqat=1>. > After you’ve installed it, we hope you’ll let us know what you think > <http://s2030806319.t.en25.com/e/er?utm_campaign=2017-05-31%20npm%405%20all-sub%20email&utm_medium=email&utm_source=Eloqua&s=2030806319&lid=13&elqTrackId=3B624F5AC6BC4FCCBC477A6BCBD47E88&elq=b465a4f2f0f8488981d3180948b7e71c&elqaid=350&elqat=1>, > and if you run into trouble, just drop us a line <[email protected]>. > > > npm ♥ you > > Isaac Z. Schlueter, CEO > and the wombats of npm, Inc. > > > npm, Inc. > 1999 Harrison Street, Suite 1150, Oakland, CA 94612 > > unsubscribe > <http://s2030806319.t.en25.com/e/u?s=2030806319&elq=b465a4f2f0f8488981d3180948b7e71c> > >
_______________________________________________ Architecture mailing list [email protected] http://lists.gpii.net/mailman/listinfo/architecture
