Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make additive lock file optional #18296

Closed
sirikon opened this issue Mar 20, 2023 · 0 comments · Fixed by #24355
Closed

Make additive lock file optional #18296

sirikon opened this issue Mar 20, 2023 · 0 comments · Fixed by #24355
Assignees
@nathanwhit
Milestone
2.0.0

Comments

@sirikon
Copy link

sirikon commented Mar 20, 2023

Deno 1.27.1 introduced additive lock files:

Before version 1.27.1, I could use the --cached-only functionality to ensure that, whenever I'm executing deno run, only the dependencies specified in the lock file are executed, giving me more control over when or how the lock file is updated, improving reproducibility.

I could limit lock file modifications to a single deno cache --lock-write and nothing else. Adding dependencies without "locking" them purposefully and then executing the project would result in a clear error.

I would love to have this functionality back. After version 1.27.1, I have no way to control this, and as a result:

  • Reproducibility and security worsened, allowing the code on the repository to "work", but behave differently depending on when it was executed. Today I could commit an addition of a new dependency without locking it in, and the code would execute without issues, introducing the possibility of it behaving differently in the future by downloading a different version of the dependency.
  • An automated build that checks that all the dependencies are present in the lock file becomes more complicated, needing to:
    • a) Check with git if lock file changed, and fail if so.
    • b) Have a separate DENO_DIR folder for each run, effectively disabling any possible caching.

It should be able to disable additive lock files. IMHO, it should actually be disabled by default or not even implemented in the toolchain, but the possibility to disable them by a flag would be an improvement.

PS: A change on how lock files are managed isn't something I would expect from a "patch" version. I can't find Deno's versioning specification, but many people would assume it's SEMVER because "it's three numbers separated by dots". Seeing Deno's versioning history, "minor" number bumps can mean breaking changes, but until today, didn't knew "patch" number bumps could mean breaking changes, too. Maybe some clarification over the versioning is worth the effort.
@dsherret dsherret added this to the 2.0 milestone May 4, 2024
@dsherret dsherret mentioned this issue Jun 13, 2024
Closed
@bartlomieju bartlomieju assigned nathanwhit and unassigned dsherret Jun 18, 2024
@nathanwhit nathanwhit mentioned this issue Jun 27, 2024
Merged
zebreus pushed a commit to zebreus/deno that referenced this issue Jul 8, 2024
@nathanwhit @zebreus
feat(cli): Add --frozen flag to error out if lockfile is out of date (
97d9833 
denoland#24355)

Closes denoland#18296.

Adds a `--frozen` (alias `--frozen-lockfile`) flag that errors out if
the lockfile is out of date. This is useful for running in CI (where an
out of date lockfile is usually a mistake) or to prevent accidental
changes in dependencies.

![Screenshot 2024-06-26 at 7 11
13 PM](https://github.com/denoland/deno/assets/17734409/538404b8-b422-4f05-89e8-4c9b1c248576)
@kachick kachick mentioned this issue Sep 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nathanwhit nathanwhit

Labels
None yet
Projects
None yet
Milestone
2.0.0
Development

Successfully merging a pull request may close this issue.

feat(cli): Add --frozen flag to error out if lockfile is out of date nathanwhit/deno
3 participants
@sirikon @dsherret @nathanwhit