switch from lockdown to shrinkwrap #603

Closed
wants to merge 1 commit into
from

Projects

None yet

7 participants

@dannycoates
Member

Now that package versions in npm are more stable (http://blog.npmjs.org/post/77758351673/no-more-npm-publish-f) I'd like to propose switching from lockdown to the built-in shrinkwrap.

Advantages:

  • built-in, well doc'd, maintained
  • faster install runs

Disadvantages:

  • less paranoid
  • checks version numbers not hash of contents

I think using shrinkwrap simplifies this task very slightly and I feel ok with the disadvantages.

@pdehaan
Collaborator
pdehaan commented Mar 1, 2014

/ping @jrgm

I know we discussed this at some point. What was the drawback of using shrinkwrap under the new npm publish rules? It still wouldn't manage the sub-dependency version bumps which could cause issues?

@jbonacci
jbonacci commented Mar 3, 2014

I would love also to hear from OPs on this one.
@gene1wood

@jrgm
Member
jrgm commented Mar 4, 2014

Yeah. I don't really like losing that checksums, but I can live without. It does track all sub-dependent versions, and there is some guarantee of immutability in the "main" npm repo. I do think we should do npm shrinkwrap --dev.

@pdehaan pdehaan added this to the Mar 14 milestone Mar 4, 2014
@chilts
chilts commented Mar 4, 2014

+1 (due to there being one less moving part) :)

@shane-tomlinson shane-tomlinson referenced this pull request in mozilla/fxa-content-server Mar 5, 2014
Closed

switch from lockdown to shrinkwrap? #669

@gene1wood
Member

@jbonacci I'm fine with this though OpSec may have concerns over losing the checksum functionality, I'd recommend looping them in.

@jbonacci

@gene1wood ok, well I don't really know how to do that via GitHub.
@dannycoates and @jrgm let's have a rep from OpSec look at this.

@seanmonstar
Member

Seems to me like a very small gain for dumping checksums. If they'll be implemented in the future for shrinkwrap, why not just wait till then to switch?

@pdehaan pdehaan referenced this pull request in mozilla-services/FindMyDevice Mar 13, 2014
Closed

Add npm-shrinkwrap #15

@dannycoates dannycoates deleted the dannycoates:shrinkwrap branch Apr 30, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment