Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Hoisting breaks `require` semantics #867
Hoisting is intended as a runtime optimization that doesn't affect program correctness. But it's easy to accidentally a write a package that only works when hoisting is in effect that then breaks if deployed as a normal package.
Each package should have access to the exact same set of dependencies, whether or not hoisting is applied.
Hoisted dependencies leak into packages that otherwise should not have access to them.
Move the hoisted dependencies out of the natural node module resolution path and instead link them explicitly into the packages where they are appropriate.
For example, assume that
Instead we could move the hoisted deps off the module resolution path:
This would also eliminate the need for
Moving a piece of code between packages is a reasonably common thing to do. If you do that while using hoisting, it's easy to produce packages that no longer work standalone without realizing it. For this reason, IMO it's not currently safe to use
This situation is just always true regardless of whether you use lerna. If you npm install a package it's deps are installed alongside it in a flat structure in
Not true. In a non-monorepo collection of projects, one normally goes and installs dependencies for each project separately. One project cannot import the dependencies from another project.
When Lerna hoists dependencies, it makes dependencies visible to all packages, which just isn't very safe, and is not a common scenario at all. Most people install dependencies only inside their project and thus don't have this problem, while with Lerna hoisting they do have this problem.
That's not true, you can import nearly every transitive dependency regardless of whether you depend on it directly just look in node_modules on a single package and try, yes Lerna theoretically adds more you can accidentally require but it's not more unsafe than any project that uses npm or yarn