[
https://issues.apache.org/jira/browse/TEZ-3285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15315540#comment-15315540
]
Sreenath Somarajapuram commented on TEZ-3285:
---------------------------------------------
bq.does the license/notice files need changing?
This doesn't affect the final build. Also we don't use any of these libraries
directly. So should we update the license/notice files?
bq. How was it created in the first place?
Just running 'npm shrinkwrap' will create the first json file from the
currently installed packages in node_modules.
bq. how is the npm shrinkwrap.json file meant to be maintained? How should it
be kept up to date?
- Both package.json and the shrinkwrap must update on `npm install --save`
dependency checks are now skipped - what happens if a new dependency is
required? How would that get pulled in? How do we ensure that all dependencies
are defined in the shrinkwrap json at build/compile time?
- Only the extra build time check in maven-ember build is disabled. npm install
in maven will still install new dependencies.
Also, what is the original issue that requires transitive dependencies to be
locked down? Given that libraries will be upgraded over time, how do we ensure
that we dont end up in situations where we are using 3-4 yr old library
versions?
- In some situations, it's desirable to fully specify each version of each
dependency recursively so that subsequent builds and deploys do not
inadvertently pick up newer versions of a dependency that satisfy the semver
pattern. The shrinkwrap command locks down the dependencies based on what's
currently installed in node_modules.
> Tez UI: Lock down dependency versions using npm-shrinkwrap
> ----------------------------------------------------------
>
> Key: TEZ-3285
> URL: https://issues.apache.org/jira/browse/TEZ-3285
> Project: Apache Tez
> Issue Type: Bug
> Reporter: Sreenath Somarajapuram
> Assignee: Sreenath Somarajapuram
> Attachments: TEZ-3285.1.patch, TEZ-3285.2.patch, TEZ-3285.3.patch,
> TEZ-3285_batch-0.8_1.patch
>
>
> All dependencies of tez-ui is having fixed versions. But the dependencies of
> our dependencies are not. Hence a level down in the dependency tree, the
> build might be looking for the latest packages. This affects the reliability
> of the UI build.
> NPM:
> npm shrinkwrap create a separate json from the currently installed packages,
> and ensure that the complete dependency tree is intact across all the build.
> Bower:
> Bower doesn't have a hierarchy and this issue can be avoided by locking on a
> specific version for all dependent package in the bower.json itself.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
