Hoisting seems broken with npm5

[jquense]

Expected Behavior

lerna bootstrap --hoist should hoist dependencies when using npm@5

Current Behavior

The correct package.json is generated in the root directory but none of the hoisted deps are installed when a package-lock.json is present....which as far as I can tell (thanks npm docs!) can't be toggled off.

lerna.json

{
  "lerna": "2.0.0-rc.5",
  "version": "4.0.0-rc.6",
  "hoist": true,
  "packages": [
    "packages/*"
  ]
}

Your Environment

Executable	Version
lerna --version	2.0.0-rc.5
npm --version	5.0.0

OS	Version
macOS	?

[hzoo]

Yeah it's definetely not handled yet (nothing on npm 5 is supported since we haven't tested)

[evocateur]

This is not surprising, but definitely needs to be addressed. Hopefully we can delegate most/all of the bootstrapping logic to npm@5.

[jquense]

might be worth making a note of somewhere, node8 is coming out today and ships with (or soon will ship with npm5) Don't want ya'll overrun by folks with the same issue :)

[tivac]

#851 is another npm@5 issue similar to this one.

[garthk]

Workaround to force npm 4.6 despite a global npm 5, at least when running lerna in the root of your monorepo:

• npm install --save-dev npm@4.6.1
• set npmClient to node_modules/.bin/npm in your lerna.json

[rgbkrk]

Workaround to force npm 4.6 despite a global npm 5

This works well on macOS and Linux, does not work well on Windows as the npm bin references the npm-cli used by *nix systems:

Error: Cannot find module 'C:\projects\nteract\node_modules\.bin\node_modules\npm\bin\npm-cli.js'
    at Function.Module._resolveFilename (module.js:469:15)
    at Function.Module._load (module.js:417:25)
    at Function.Module.runMain (module.js:604:10)
    at Function.runMain (C:\Users\appveyor\.node-spawn-wrap-952-2fdd5baf427b\node:40:10)
    at Object.<anonymous> (C:\projects\nteract\node_modules\nyc\bin\wrap.js:23:4)
    at Module._compile (module.js:570:32)
    at Object.Module._extensions..js (module.js:579:10)
    at Module.load (module.js:487:32)
    at tryModuleLoad (module.js:446:12)
    at Function.Module._load (module.js:438:3)

We only noticed that via our AppVeyor setup.

[evocateur]

Notably, if you "manually" hoist all the managed dependencies into the root (thus ensuring lerna bootstrap is mostly a no-op, aside from symlinking), it works with npm@5. Not ideal, but it's a more robust cross-platform workaround.

[MoOx]

@evocateur what are you calling "hoisting manually"?

[evocateur]

All dependencies in ./packages/*/package.json are literally added to ./package.json Thus, when bootstrapping, everything already exists in the root and only symlinking is necessary.

…

On Jun 10, 2017, at 15:09, Maxime Thirouin ***@***.***> wrote: @evocateur what are you calling "hoisting manually"? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[rgbkrk]

What would be an ideal way of combining all the dependencies of the subpackages to add to the main package?

[blink1073]

@rgbkrk, something like this should work (adapted from a JuypterLab script):

var path = require('path');
var glob = require('glob');

/**
 * Handle an individual package on the path - get its dependencies.
 */
function handlePackage(packagePath, data) {
  // Read in the package.json.
  var packagePath = path.join(packagePath, 'package.json');
  try {
    var package = require(packagePath);
  } catch (e) {
    console.log('Skipping package ' + packagePath);
    return;
  }

  var deps = package.dependencies || [];
  for (let dep in deps) {
    data.dependencies[dep] = deps[dep];
  }
}

var data = require('./package.json');

// Handle all of the packages.
var basePath = path.resolve('.');
var files = glob.sync(path.join(basePath, 'packages/*'));
for (var j = 0; j < files.length; j++) {
  handlePackage(files[j], data);
}
console.log(JSON.stringify(data.dependencies, null, 2));

[blink1073]

Follow up: I just tried the above for JupyterLab here, and not all of the packages are ending up in the top level node_modules after hoisting, meaning we still can't use npm@5.

[Tallyb]

package-lock.json can be disabled using npm config set package-lock false
You probably also want to add in npm config set save false

[blink1073]

Confirmed that npm config set package-lock false is enough to get us going for now, thanks @Tallyb!

[garthk]

Anyone figured how to set that locally?

[tivac]

It seems like you could add a .npmrc file to the root of your lerna install, and then set

package-lock = false

in it? Can't test it atm but seems plausible.

[blink1073]

That should work, package-lock=false is what ends up in my ~/.npmrc with the npm config command.

[tivac]

It does work, though you need a .npmrc file for the root and every child package. A little annoying, but better than not being able to use bootstrap --hoist.

[redonkulus]

@jquense @evocateur is there a minimally reproduce-able example we can provide npm so they can debug this issue?

[evocateur]

I just use relative file: specifiers for sibling dependencies now, don't even use lerna bootstrap anymore. Lerna's own source code demonstrates the usage. npm i packages/* and you're done.

[tivac]

Or lerna exec -- npm i for cross platform support.

Should we switch to recommending that by default? I'm biased but think so.

[evocateur]

@tivac Since lerna itself has no problem at all using npm ci with relative file specifiers in its windows builds, I'm inclined to believe that your recent issues migrating modular-css are due to dependencies misbehaving, not cross-platform incompatibility (that would be an issue for npm to fix).

[joebowbeer]

@tivac Is lerna exec -- npm i really equivalent to npm i packages/*?

[evocateur]

No, it isn't. Again, it's more than likely a symptom of misbehaving dependencies, not Windows platform-ness. Relative file: specifiers in the root results in basically the same symlink structure as yarn workspaces.

[tivac]

Yup, sorry everybody, I totally misunderstood the purpose of npm i packages/*. It isn't to run npm i within each of those directories, it's to add them as a file dependency there.

I ran npm i packages\<package> manually for each one of my packages. It added new file dependencies at the root level for each of the child packages. I also previously had manually hoisted all my devDependencies to the root.

But now what? Should npm i from the root install the dependencies of those file: packages?

[evocateur]

Should npm i from the root install the dependencies of those file: packages?

Yep! The whole tree becomes serialized in the package-lock.json, including relative file: siblings. It's pretty sweet.

[tivac]

I was running into some trouble with that workflow last night but think I finally got things cleaned up and functioning more cleanly!

Thanks for your patience as I stumbled through this process.

[joebowbeer]

@evocateur please excuse the follow-ons; I am hoping you can clarify your comment above regarding file: -- I just came across npm/pull/15900 which claims link: is the new file:

BTW it would be great to update the lerna doc to include a description of this golden path free of bootstrap.

[evocateur]

Yeah, that PR eventually went back to file: without updating the summary. If you run lerna link convert (only needed once), it basically sets you up on the golden path.

I agree I really need to get around to a blog post or something...

[redonkulus]

@evocateur is lerna link convert an easter egg? Should it be documented on https://github.com/lerna/lerna/tree/master/commands/link#readme?

[evocateur]

Yeah, sometimes I forget the CLI help isn't automatically shown in the README. And in this case, could definitely use more context. Along with that Lerna 3.0 blog post I've been meaning to write for a few months now...

$ npx lerna link -h
lerna link

Symlink together all packages that are dependencies of each other

Commands:
  lerna link convert  Replace local sibling version ranges with relative file: specifiers

Command Options:
  --force-local  Force local sibling links regardless of version range match                                             [boolean]

(cut off repetitive global options)

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[revelt]

hi all, I don't see any issues with Lerna hoisting on npm 6.9.0. Please confirm can we close this issue.

[JamesHenry]

Hi Folks 👋

Please take a look at our published roadmap for Lerna v7 here: #3410

One of the key items covered at length on there (please do read it for full context) is that now that we find ourselves in late 2022, it no longer makes sense for lerna to supplement package management concerns (such as installation, boostrapping, linking etc) which are covered reliably for monorepo workspaces by the three main package managers: npm, yarn and pnpm. lerna bootstrap et al were developed in completely different era of the JavaScript ecosystem.

If you have any specific concerns please do join in on that discussion, and provide as much context as possible.

Many thanks 🙏