Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarification needed for package lock files #2271

Closed
simllll opened this issue Sep 16, 2019 · 4 comments
Closed

Clarification needed for package lock files #2271

simllll opened this issue Sep 16, 2019 · 4 comments
Labels
scope: package management Issues with the bootstrap/add/link commands that relate to package management

Comments

@simllll
Copy link
Contributor

simllll commented Sep 16, 2019

There are a lot of open and closed issues around regarding lock files (mainly I was looking for package-lock.json issues with npm).

I'm not quite sure if this is intended, or if it is a bug.. but I do not get any lock file in my sub packages. I'm hoisting all the dependencies though, which would actually make sense to me that it is hard for any kind of lock file to get generated.

So first I would like to clarify if this is the case: does hoisting prevent package lock files to get generated in my sub packages? I only have one in my root folder.

The problem with this is that I just hoist for development purposes, as soon as the CI pipeline kicks in, all the dependenices get build & published, and afterwards a npm install in the "sub directory" is executed... but now this npm install has no package-lock to refer to. This turned out already badly several times, as suddenly a wild new package appears which breaks something in the current build.

Is there any better approach? How do you maintain your lock files for the sub folder guys? Or how could I solve my issue to "reference" the package-lock file from the root folder even though I'm running a npm install in a sub folder?

Expected Behavior

  • There should be an approach that let us use the package lock files.
  • Improve documentation for hoisting, that there is only a package lock file in the root folder.

Current Behavior

  • There is no package-lock file in each package
  • there is only one package lock file in the root folder
  • this package lock file cannot be used for npm installs in sub packages.

Steps to Reproduce (for bugs)

  1. create monorepo
  2. add two packages with at least one external dependency
  3. run lerna bootstrap --hoist --force-local
  4. no package-lock in sub folders / only in root
lerna.json

{
	"packages": ["packages/*", "services/*"],
	"version": "independent",
	"command": {
		"publish": {
			"message": "chore(release): publish"
		}
	},
	"hoist": true,
	"forceLocal": true,
	"conventionalCommits": true,
	"reject-cycles": true,
	"ignoreChanges": [
		"**/__tests__/**",
		"**/*.md",
		"**/*.tmp"
	]
}

Context

Ran into several deployment issues due to the missing package-lock file.

Your Environment

linux / CI build

Executable Version
lerna --version 3.16.4
npm --version 6.11.3
node --version v12.6.0
@ELLIOTTCABLE
Copy link

I'm running into this, too.

My current approach, painfully, is to manually npm install in each of the sub-packages, after lerna bootstrap, when adding new packages / updating versions. This gives each package a chance to update its "local lockfile."

Notably, if you have packages which depend on other, unpublished packages, this is going to be … extremely not-fun:

  1. with blah-unpublished included in the deps of widget, lerna bootstrap in the root
  2. manually remove blah-unpublished from the deps of widget
  3. manually npm install in ./packages/widget, so that widget's package-lock.json includes everything except blah-unpublished
  4. manually re-add blah-unpublished to the deps in widget
  5. run lerna bootstrap --ci in the root.

yikes!

@massens
Copy link

massens commented Feb 12, 2020

We have exactly the same issue as @simllll

It seems reasonable that there should be a workflow where you have complete control over which dependencies are used through lock files, and you're not exposed to new packages breaking deploys. Maybe we're missing something?

@HoldYourWaffle HoldYourWaffle mentioned this issue Mar 27, 2020
Merged
creemama added a commit to creemama/utiljs that referenced this issue Nov 29, 2020
@creemama
chore: use Lerna's hoist option when bootstrapping
6b56489 
This allows us to remove package-lock.json in subpackages.

See the following:
* https://github.com/lerna/lerna/tree/main/commands/bootstrap
* lerna/lerna#2271

Since we have npm-check-updates, we do not need to run npm outdated.
npm outdated does not work without node_modules in each subpackage.
The hoist option does not allow this.
DanielHabenicht added a commit to CovOpen/CovQuestions that referenced this issue Mar 7, 2021
@DanielHabenicht
fix lerna package-lock problem
a97bcc9 
reference: lerna/lerna#2271
@Carduelis
Copy link

Carduelis commented Apr 8, 2021
edited

I was very wondered when I redo a lerna bootsrap the deleted file did not appear after I deleted package-lock because of a lot of git conflits where there when I did a cherry-pick.

My root package.json has a 10-15% of all dependency sections in all packages. Therefore all other packages could be replaced and no one notice it.

How to solve this issue in a correct way?

creemama added a commit to creemama/utiljs that referenced this issue May 8, 2021
@creemama
chore: use Lerna's hoist option when bootstrapping
70f08ad 
This allows us to remove package-lock.json in subpackages.

See the following:
* https://github.com/lerna/lerna/tree/main/commands/bootstrap
* lerna/lerna#2271

Since we have npm-check-updates, we do not need to run npm outdated.
npm outdated does not work without node_modules in each subpackage.
The hoist option does not allow this.
@JamesHenry JamesHenry added the scope: package management Issues with the bootstrap/add/link commands that relate to package management label Jun 14, 2022
@fahslaj
Copy link
Contributor

fahslaj commented Oct 19, 2023

Hi all, it is no longer recommended to use lerna bootstrap. The recommendation for modern version of Lerna is to rely on the workspaces functionality of whichever package manager you are using. I would suggest checking out the legacy package management page in the Lerna docs.

Older versions of Lerna that don't support workspaces are no longer supported, and alternatives to workspaces are outlined in that doc.

@fahslaj fahslaj closed this as not planned Won't fix, can't repro, duplicate, stale Oct 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
scope: package management Issues with the bootstrap/add/link commands that relate to package management
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@ELLIOTTCABLE @JamesHenry @Carduelis @simllll @fahslaj @massens