Thanks for laying this all out for us, Raghu. Based on the built-in support for offline installs and version locking, I think this is a great suggestion. (However unfortunate the namespace collision might be.)
On Wed, Aug 16, 2017 at 8:51 AM RaghuMitra Kandikonda < [email protected]> wrote: > I would like to start a discussion around using 'yarn' for managing > dependencies for metron-alerts instead of 'npm'. > > This article beautifully summarizes the need of yarn and npm. > (https://code.facebook.com/posts/1840075619545360) > > If you have read the above article you can skip the next two sections > and jump to 'Additional advantages of Yarn' > > > ======================================================================================================================================= > Why do we need a new package manager ?. > > While 'npm' does a good job for downloading all the required > dependencies. npm always tries to download the latest and greatest > versions of all these dependencies. This would create a problem in > replicating the same build every time we build. Having hard coded > versions in the package.json seems like a possible solution but this > will prevent us from knowing that a library has been updated. In JS > world the version updates are very frequent and we might be missing on > some of the latest updates and some of these updates might be related > to security or a cool feature we would like to have in our code base. > Ex: Angular made 10 releases in last two months, bootstrap made 2 > releases in last two months. > > > ======================================================================================================================================= > What is Yarn ?. > > Yarn is a new age package manager that can (needs to) be installed > over npm (or bower). Yarn resolves issues around versioning and > non-determinism of JS dependencies by using lock files and an install > algorithm that is deterministic and reliable. These lock files lock > the installed dependencies to a specific version and ensure that every > install results in the exact same file structure in node_modules > across all machines. This kind of a locking mechanism is not available > with vanilla node. > > > ======================================================================================================================================= > Additional advantages of Yarn ?. > > 1.Yarn helps us to check licenses of all the frameworks we are using. > (This feature is built in) > 2.It will reduce the build time of UI for dev as well as in Travis as > all the dependencies are cached inside '~/.config/yarn/global' > 3.We can do an offline install of UI as we can zip the dependencies > and supply it to Yarn instead of downloading from the internet > 4.Yarn is already integrated with Travis > (https://blog.travis-ci.com/2016-11-21-travis-ci-now-supports-yarn) > > > ======================================================================================================================================= > How to migrate ?. > > A yarn.lock file can be created from existing package.json file and > this file would be checked in. > > > ======================================================================================================================================= > How does the process change ?. > > 1.All the developers would use 'npm install' so that they can get the > latest versions of the dependencies. > 2.The build would use 'yarn install'. ( This change would be made in > metron-alerts pom.xml file ) > 3.When the dev notices that a new version of the library is available > we can test it thoroughly and update yarn.lock file > > > ======================================================================================================================================= > > I am not aware of any other package manager that can do this for us, I > can explore others if you have a suggestion. > > > -Raghu Mitra >
