bundle npm v3

[stefanpenner]

current internally we use 2x

• API's have likely changed
• UX has changed (we should attempt to provide a nice UX)
• ... ?
• Support scoped addon names  #4372

This aims to improve the internals, to prep for 2.x series planned addon work

[LongLiveCHIEF]

I've found issues with the "base64"/"Base64" conflicts on Unix systems using npm v3.3. It's unfortunately a problem I don't think will go away based on the flattening of dependencies when using npm v3.3. It stems from the usage within utf-8-validate module somewhere along the line.

[stefanpenner]

@H3Chief hmm, might be we have to upgrade abunch of libs to all use one of those.

[stefanpenner]

Actually, I believe maybe NPM client should not dedupe in this case. There are some existing libs that will cause grief, this is likely a common one.

I will reach out

[ro0gr]

I use npm3 on a regular basis for last few months. It has few advantages over npm2 like incremental installations and better windows support.
So currently I have to pass --skip-npm flag when I run ember-cli commands to avoid usage of bundled npm2.

So the question is what happens if we remove dependency on npm from a package.json and just use something like spawn for package manager stuff instead of usage of npm programmable API?

I can see several advantages here:

• An ability to use whatever npm version I like or have installed globally
• significant decrease of node_modules/ size (~20mb)
• faster installation
• probably it should be easier to enable alternative package managers like pnpm or ied if it's applicable

As far as I can see currently most of npm specific logic is handled via lib/utils/npm so it looks like that switch should be relatively painless.

@rwjblue @Turbo87 @kellyselden @stefanpenner Do you guys have any concerns about it?

[kellyselden]

@ro0gr One of the reasons for bundling was eliminating a lot of bugs that were the result of unstable npm versions. Everyone using the same point release of npm eliminates that variable when triaging bug reports. It might be that npm is stable enough now to not be concerned with its bugs...

[stefanpenner]

@ro0gr working correctly with any random version of NPM has proved impossible, It is very unlikely we will return to that world.

If anything, we should bundle a newer version.

[ro0gr]

@kellyselden from my experience it still has few undesirable bugs. But now install works much more reliable. I've completely forgot when I cleaned my node_modules last time(maybe I'm doing something wrong 😄 ).

@stefanpenner I totally understand your concern about installations consistency but the current approach seems too limiting for me. It would be great if developer had an option to choose package manager version to use.

Just an example: In my company we use npm@3.5.3 we can't just jump to 3.8.2 until it's well tested for the bunch of our projects. Basically we do not trust any different version for now :(
I suspect when npm3 is bundled with ember-cli we will still have the same --skip-npm pattern in the wild(actually I don't know if anybody makes it but me). Some people will trust npm2 and the others will trust npm3.x.x(different from bundled one).

Looks like I'm out of scope for the current issue.. So in general I'm ok with the current approach. But it looks that for now and even after bundling of newer npm version some of the ember-cli users are encouraged to --skip-npm which doesn't seem like an ergonomic flow. I believe there should be a ways to achieve the balance between consistency and flexibility.

[stefanpenner]

I believe there should be a ways to achieve the balance between consistency and flexibility.

sure, this depends on npm improving, which is totally out of scope for this project.

--skip-npm does the trick for now, and the vast majority of users do not even require that step.

This discussion seems entirely orthogonal to this issue...

[stefanpenner]

will fix: #4372

[nathanhammond]

Completed in #6306.