-
-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updating shrinkpacked dependencies #68
Comments
I wrote up some instructions for this as part of my sample React/Redux/Webpack project config repo, at https://github.com/markerikson/react-redux-cesium-testing-demo . Pasting those instructions here for reference: Managing Dependencies using ShrinkpackThe recent uproar over the unpublishing of "left-pad" and the subsequent breakage of thousands of NPM packages and build environments demonstrates the need to maintain a fixed list of all transitive dependencies. However, the common suggestion of checking in While researching this issue in 2015, I ran across a tool called https://github.com/JamieMason/shrinkpack , which seems to solve most of this issue. It simply refers to a npm-shrinkwrap.json file, and uses NPM's caching abilities to grab the tarballs for each exact dependency. It copies those to a A typical Shrinkpack workflow for managing dependencies looks like this: # one-time global install of Shrinkpack
npm install -g shrinkpack
# install whatever packages you want to update
npm install some-package --save-dev
# once you are ready to persist the upgrade, then re-generate
# the npm-shrinkwrap.json file, including devDependencies
npm shrinkwrap --dev
# re-run Shrinkpack to copy the tarballs to the ./node_shrinkwrap/, folder,
# and rewrite the shrinkwrap links to point to ./node_shrinkwrap/some-tarball.tgz
shrinkpack
# Stage updated shrinkwrap file
git add npm-shrinkwrap.json
# Stage added and removed tarballs
git add -A node_shrinkwrap
git commit -m "Updated some-package" |
One small note on the write-up above (although it is awesome and super well done): Avoid installing If As a recent example, You can install |
Thanks @markerikson and @DrewML. As a part of the ESLint and eslint atom plugin teams, I am well aware of the problems that global vs. local installations can have. :-p I've made an |
Thanks everyone, I still need to finish the README but will get to it soon 👍 |
Please see the updated README and please feel free to offer any suggestions for additions or changes. A lot of areas are quite wordy and also I've struggled to articulate what the value of shrinkpack is, so any ideas around that would be helpful – a lot of the current talk is about risk mitigation and resilience, but most don't seem to be too interested in that, maybe install speed is more of a draw. |
I noticed my install speed went down when I started using shrinkpack, and for me the value really is risk mitigation and not relying on npm registry for deploying my code. So, I wouldn't promise faster installs necessarily. Note: I was already keeping the npm local cache between deployments. |
Yikes, do you have any more info on this please? I'll try to improve it. |
Well, since I was already keeping the local npm cache and using shrinkwrap, the only thing that really changed when I started using shrinkpack was that npm doesn't need to make the http requests to check the version on the registry. Those were super fast usually, so that doesn't save a lot of time. I'm not familiar with the inner workings of npm, so I'm not sure why the speed dropped (was only about 30 seconds). I also haven't dug very deeply into what part of the process is taking longer, because I can live with the speed penalty for the increased safety. If I get some time I'll try to do some more investigation and if I can confirm and narrow it down, I'll open an issue. |
Thanks a lot @IanVS, appreciate it. I will take a look too. |
In the README, you mention:
But, I don't see anywhere else in the README where updating a dependency is actually covered. I think that would be very useful information (that I'm figuring out for myself currently).
Thanks for the awesome tool!
The text was updated successfully, but these errors were encountered: