I would like to start a discussion around using 'yarn' for managing dependencies for metron-alerts instead of 'npm'.
This article beautifully summarizes the need of yarn and npm. (https://code.facebook.com/posts/1840075619545360) If you have read the above article you can skip the next two sections and jump to 'Additional advantages of Yarn' ======================================================================================================================================= Why do we need a new package manager ?. While 'npm' does a good job for downloading all the required dependencies. npm always tries to download the latest and greatest versions of all these dependencies. This would create a problem in replicating the same build every time we build. Having hard coded versions in the package.json seems like a possible solution but this will prevent us from knowing that a library has been updated. In JS world the version updates are very frequent and we might be missing on some of the latest updates and some of these updates might be related to security or a cool feature we would like to have in our code base. Ex: Angular made 10 releases in last two months, bootstrap made 2 releases in last two months. ======================================================================================================================================= What is Yarn ?. Yarn is a new age package manager that can (needs to) be installed over npm (or bower). Yarn resolves issues around versioning and non-determinism of JS dependencies by using lock files and an install algorithm that is deterministic and reliable. These lock files lock the installed dependencies to a specific version and ensure that every install results in the exact same file structure in node_modules across all machines. This kind of a locking mechanism is not available with vanilla node. ======================================================================================================================================= Additional advantages of Yarn ?. 1.Yarn helps us to check licenses of all the frameworks we are using. (This feature is built in) 2.It will reduce the build time of UI for dev as well as in Travis as all the dependencies are cached inside '~/.config/yarn/global' 3.We can do an offline install of UI as we can zip the dependencies and supply it to Yarn instead of downloading from the internet 4.Yarn is already integrated with Travis (https://blog.travis-ci.com/2016-11-21-travis-ci-now-supports-yarn) ======================================================================================================================================= How to migrate ?. A yarn.lock file can be created from existing package.json file and this file would be checked in. ======================================================================================================================================= How does the process change ?. 1.All the developers would use 'npm install' so that they can get the latest versions of the dependencies. 2.The build would use 'yarn install'. ( This change would be made in metron-alerts pom.xml file ) 3.When the dev notices that a new version of the library is available we can test it thoroughly and update yarn.lock file ======================================================================================================================================= I am not aware of any other package manager that can do this for us, I can explore others if you have a suggestion. -Raghu Mitra
