-
Notifications
You must be signed in to change notification settings - Fork 17.4k
Conversation
So, an open discussion related to this. Lockfiles are annoying to maintain. Any time any package in our dependency tree releases a compatible update, every run of We have a few options here:
/cc @asheren @daviwil @queerviolet @jasonrudolph @maxbrunsfeld @as-cii @annthurium for opinions and thoughts 💭 while I work out the kinks in the build scripts 😄 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Aside from the possible use of process.env.CI
, it looks great!
script/bootstrap
Outdated
@@ -17,6 +17,9 @@ process.on('unhandledRejection', function (e) { | |||
process.exit(1) | |||
}) | |||
|
|||
// We can't use yargs until installScriptDependencies() is executed, so... | |||
const ci = process.argv.indexOf('--ci') !== -1 |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Lockfiles are definitely a pain, I've been scratching my head every day recently and worrying about whether I'm going to break everything by committing changes. No harm in trying it for a while though until we get used to it and understand what to expect. I had also thought about the auto-PR of new My biggest problem with the lockfiles changing is that I'm not sure I trust whether it's actually due to dependencies changing or Regardless of any solution, I think we'll have to be vigilant at first and make sure to really scrutinize the changes so that we don't end up with unexpected problems in release builds. |
Yeah. Would it be valuable to have an alternative script that runs
True... I've seen that too. For a while there were problems with platform-specific optional dependencies flapping in and out of the lockfile and some ordering inconsistencies. In general I think npm is trying to make lockfile generation deterministic but there are definitely some cases where it isn't quite. I think the ideal path forward here would be to increase our faith in our CI catching the kinds of breakage that we want to avoid, so that a green check gives us a strong assurance that an update is acceptable (and a red X gives us a signal that we need to tighten a dependency range or send a PR upstream). Specifically, the greatest source of uncaught breakage that I've seen is when something breaks electron-link or snapshotting. Our transitive dependencies don't test or consider these because neither are common, so it's easy for a patch-version change upstream to break our build. React 16.4.2 did this: a change in the way their source was minimized breaks electron-link! A while ago we had a patch version of Relay that broke, too (but that would have been caught by our regular test suite, I believe - this was before we had any test coverage for our Relay code).
Ah, interesting. Can do 👍 |
Okay, this is weird. After running
My current guess is that apm's postinstall script is borking up npm: echo ">> Downloading bundled Node"
node script/download-node.js
echo
echo ">> Rebuilding apm dependencies with bundled Node $(./bin/node -p "process.version + ' ' + process.arch")"
./bin/npm rebuild
echo
echo ">> Deduping apm dependencies"
./bin/npm dedupe |
One of those could be useful, and it might be even better if we can include a pre-commit hook check to see if
✔️ Regarding the |
I couldn't figure out why apm's install was breaking, so I'm just... always using I was able to get a successful build locally with this, so let's see if CI is happy 🤞 |
Oh, neat, I like those ideas. git doesn't make it easy to distribute hooks, though. 🤔
No, it shouldn't be... Basically, the apm package includes a postinstall script that calls |
CI is 🍏, looks good to go! |
I've added a
--ci
argument toscript/build
. When specified, invocations of npm and apm use the "ci" command rather than "install".npm ci
documentationI doubt this will substantially improve our build times; we're shaving time off of a step that isn't taking the bulk of our build time. The most notably benefit will be reliability: by installing the package versions pinned in the lockfile exactly, patch releases of transitive dependencies should no longer implicitly creep in and break our build.