I would like to voice a couple more concerns about this idea, despite the fact that we had already reached agreement and I have started participating in this task [1] (<https://github.com/apache/cordova/issues/4>). My apologies for such bad timing.
My major concern is that npm does not seem to be so smart about updating intermediate dependencies in package-lock.json. I made an illustration in [2] (<https://github.com/apache/cordova-cli/pull/325>). While npm audit does give us instructions how to update intermediate dependencies I find this to be a bit clumsy and non-intuitive. Assuming we do move forward and commit package-lock.json in the Cordova repositories, a possible solution would be to periodically delete and regenerate package-lock.json ([3]). I would also like to quote a concern pasted below, from another thread [4], which I think does have a minor level of merit. [1] https://github.com/apache/cordova/issues/4 [2] https://github.com/apache/cordova-cli/pull/325 [3] https://github.com/apache/cordova-cli/pull/325#issuecomment-421089293 [4] https://lists.apache.org/thread.html/ef3872ea5d1147df21ab010ab3c579a655e86af18fcd3e93598a8837@%3Cdev.cordova.apache.org%3E On Tue, Sep 11, 2018 at 7:14 AM Oliver Salzburg <***> wrote: > > I just wanted to voice my concern regarding package-locks on the list, > even though consensus was probably reached in the past already. > > From our experience, this is almost as bad as committing node_modules > into VCS. > I understand the idea behind them and I would agree with that idea, but > the implementation is horrible and suffers from many defects that > ultimately lead to developer frustration and hard-to-analyze bugs. > > Especially during development where you might switch between package > versions or link locally against development checkouts of modules, > package-lock files constantly get corrupted or operations even lead to > local development checkouts being replaced by cached npm modules, > because the lockfile had them marked as bundled. > And anytime something like that happens, you're left with having to > rebuild the lockfile from scratch, introducing exactly the changes you > didn't want in the first place. > > I understand that `npm ci` can have performance benefits during > installation of packages, but the underlying technologies are defective, > the time you save in CI will be spent by developers instead and you'll > likely roll back or have to deal with blocking npm issues for some time. > > That was the experience for us and I'd hate to see others make the same > mistake. If you go with it, I hope it works better for you and maybe I > will learn how it was all our own fault all along and we've just been > holding our iPhone the wrong way. :D > > Cheers --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
