[
https://issues.apache.org/jira/browse/TEZ-3285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15316206#comment-15316206
]
Hitesh Shah commented on TEZ-3285:
----------------------------------
bq. This doesn't affect the final build. Also we don't use any of these
libraries directly. So should we update the license/notice files?
If they are in the final war file then yes.
bq. Both package.json and the shrinkwrap must update on `npm install --save`
Is npm install invoked on each build? Do these files get updated on each build
creating a dirty workspace on each build/run?
Also, I dont see any aspects of the dev README updated on a how-to on
maintaining this or what to do when adding new additions or how to make version
changes for dependencies? Additionally, is there a way to set ranges for
dependencies i.e. allow for 1.1.x so that we get any critical bug fixes, etc?
> Tez UI: Lock down dependency versions using npm-shrinkwrap
> ----------------------------------------------------------
>
> Key: TEZ-3285
> URL: https://issues.apache.org/jira/browse/TEZ-3285
> Project: Apache Tez
> Issue Type: Bug
> Reporter: Sreenath Somarajapuram
> Assignee: Sreenath Somarajapuram
> Attachments: TEZ-3285.1.patch, TEZ-3285.2.patch, TEZ-3285.3.patch,
> TEZ-3285_batch-0.8_1.patch
>
>
> All dependencies of tez-ui is having fixed versions. But the dependencies of
> our dependencies are not. Hence a level down in the dependency tree, the
> build might be looking for the latest packages. This affects the reliability
> of the UI build.
> NPM:
> npm shrinkwrap create a separate json from the currently installed packages,
> and ensure that the complete dependency tree is intact across all the build.
> Bower:
> Bower doesn't have a hierarchy and this issue can be avoided by locking on a
> specific version for all dependent package in the bower.json itself.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
