-
-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v0.9.0: shinkwrap causes all dev dependencies to be installed #198
Comments
Note that this is especially problematic if, say, one is using Linux and the shrinkwrap wants |
Thanks for the information. I initially fought this, but was persuaded that reproducibility is a good quality. If you care, you can see the relevant issue here: #186 I try to avoid problems like this by running CI on all supported versions of Node on all supported platforms. Unfortunately, I don't think I have a test that packs and then installs from that tarball which sounds like it would have been necessary to reproduce this error. I will try something like what you recommend or perhaps just a production–only install before generating it. It would be nice npm handle this scenario better; the current behavior seems inconsistent and problematic to me for obvious reasons. I expect to publish a patch release in a day or two. Sorry for the trouble! |
By the way, what happens when you run |
BTW, I DO have a relevant test on Ubuntu that passes, but it uses a custom command line that seems to opt out of the problem constraints: |
|
You may be interested in midnight-smoker--which uses (Also related: boneskull/midnight-smoker#306) |
For the initial install ( |
My 2c: Shrinkwrap is a tradeoff of reproducibility vs user control. A shrinkwrap means that transitive dependencies cannot be deduped, hoisted, nor overridden by the consumer; this makes the consumer wholly dependent upon the shrinkwrapped dep to remediate any security vulnerabilities or critical bugs. While it may be your preference,
While an end user may not get the same transitive dependency tree, you can be reasonably assured your package works as expected by a regular cadence of CI checks, pinned dependencies (no semver ranges), automated dependency updates (I recommend Renovate), and (shameless plug) |
I will try midnight-smoker, it sounds like a great addition! In fact, I will make sure it detects this problem as part of the initial commit. :) Regarding shrinkwrap, you can follow my thought process in that linked issue. I do not see value in package-lock, but it seemed to me the intent of shrinkwrap was reasonable for the task of knowing exactly what dependencies have been tested/validated. I will spend some time this evening experimenting and hope that I can find a configuration that doesn't cause problems. |
FWIW this is exactly how to reproduce the problem: # updates package-lock.json, but does not install fsevents because it's optional
$ npm install markdownlint-cli2@0.9.0
# clean install using package-lock.json as source of truth
$ npm ci
npm ERR! code EBADPLATFORM
npm ERR! notsup Unsupported platform for fsevents@2.3.3: wanted {"os":"darwin"} (current: {"os":"linux"})
... |
I'll try to fix this, but I'm not unreasonable claiming it's an npm problem, am I?? It's responsible for everything here and it's the only tool involved! |
Okay... so... good news? This evening the CI Action for this project started failing on Ubuntu and Windows with the error/message you show above. This is AFTER I made a fairly trivial commit which DID involve freshening |
@boneskull, I wonder if you can help me out with I wanted to start by using it to demonstrate the problem you report. So I added it to the CI workflow as a single commit on the However, two things seem off:
Have I misconfigured anything? Are my expectations wrong? |
I meant to include a link to the failing CI run: https://github.com/DavidAnson/markdownlint-cli2/actions/runs/5959809845/job/16166105145 |
(I confirm the tag is correct via https://www.npmjs.com/package/markdownlint-cli2?activeTab=code: version is 0.9.0 in package.json (commit 6b75793) and eslint-plugin-n is version 16.0.1 (commit a73a23f).) |
I feel like that using Updating
For the moment, I prefer staying on v0.8.1, while all these issues are not solved. |
I'm not ready to give up yet, but this experience certainly has NOT convinced me of how great it is. :) Regarding the drawbacks you mention:
|
FYI, I haven't been able to reproduce the problem outside |
This should be fixed in
@DavidAnson ➜ /workspaces/markdownlint-cli2 (main) $ npm install markdownlint-cli2@0.9.0
npm WARN deprecated date-format@0.0.2: 0.x is no longer supported. Please upgrade to 4.x or higher.
added 442 packages in 4s
9 packages are looking for funding
run `npm fund` for details
@DavidAnson ➜ /workspaces/markdownlint-cli2 (main) $ npm clean-install
npm ERR! code EBADPLATFORM
npm ERR! notsup Unsupported platform for fsevents@2.3.3: wanted {"os":"darwin"} (current: {"os":"linux"})
npm ERR! notsup Valid os: darwin
npm ERR! notsup Actual os: linux
npm ERR! A complete log of this run can be found in: /home/codespace/.npm/_logs/2023-08-26T04_22_27_378Z-debug-0.log
@DavidAnson ➜ /workspaces/markdownlint-cli2 (main) $
@DavidAnson ➜ /workspaces/markdownlint-cli2 (main) $ npm install markdownlint-cli2@0.9.2
added 35 packages in 2s
7 packages are looking for funding
run `npm fund` for details
@DavidAnson ➜ /workspaces/markdownlint-cli2 (main) $ npm clean-install
added 35 packages, and audited 36 packages in 1s
7 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
@DavidAnson ➜ /workspaces/markdownlint-cli2 (main) $ |
Thank you! 😄 |
@DavidAnson thanks for fixing this. |
FYI, I captured my notes here historical purposes and possible future reference: https://gist.github.com/DavidAnson/39b0eed160f7ce481c92e24a651b5d6f |
… "npm pack" output, sort npm scripts (refs #198).
FWIW, I think shrinkwrap is appropriate if:
From the docs
IMO this is too broad, since we can see that a package (e.g., It kind of just depends who your users are. You may want to look at ncc, which should provide reproducible bundles based on a |
… "npm pack" output, sort npm scripts (refs #198).
… "npm pack" output, sort npm scripts (refs #198).
I don't think |
When I run
npm install markdownlint-cli2@0.8.1
, I getmarkdownlint-cli2
and all its dependencies.When I run
npm install markdownlint-cli2@0.9.0
, I get this and all of the dev dependencies.I don't recommend using a shrinkwrap, but if you must, you will want to run
npm prune --production
before generating it.The text was updated successfully, but these errors were encountered: