Isaacs/install finish #1245
Isaacs/install finish #1245
Conversation
Ok, just had a "how hard could it be? 🤷♂️" moment, and took a crack at doing this in cli. Yeah, no. It needs to be an arborist thing. The thing that's there is kind of broken/incomplete anyway, and I don't want to reimplement half of reify outside of Arborist, that sense makes not any. |
|
ah great, I see it fixes #1234 |
|
|
||
| if (npm.flatOptions.depth !== Infinity) { | ||
| log.warn('update', 'The --depth option no longer has any effect. See RFC0019.\n' + | ||
| 'https://github.com/npm/rfcs/blob/latest/accepted/0019-remove-update-depth-option.md') |
There was a problem hiding this comment.
I'd prefer to be even more cautious and link to: https://github.com/npm/rfcs/blob/ea2d3024e6e149cd8c6366ed18373c9a566b1124/accepted/0019-remove-update-depth-option.md instead
There was a problem hiding this comment.
Hm! I considered that, but I figured if we ever update it or something, we'd want to have the user see the latest and greatest version, no?
There was a problem hiding this comment.
I would still prefer linking to the commit as I can see many possible problematic things happening:
- what if us (or a future team working on this repo) decides to rename branches?
latesttomaster, etc - what if someone at a point in future decides to rename the
acceptedfolder? - what if that rfc gets withdrawn and/or moved to a diff folder?
Although it seems unlikely in the near-future, I had been bitten by these sorts of changes in the past and I grew to really appreciate linking to the commit blob links instead, just by seeing these things actually happening 😊
but then again I also see that the chance of this message changing before any of the aforementioned happening is also really high 😄
|
ooohh actually might be a good idea to rebase |
isaacs
force-pushed
the
release/v7.0.0-beta
branch
from
cd6840b
to
e57a991
Compare
This adds support for Arborist.audit()
This adds a 'reify-output.js' util, which can be passed any Arborist object after it reifies a tree. Consistent output is printed in all cases, showing the number of packages added/removed/changed, packages needing funding, and a minimal (but always actionable and relevant) audit summary. The only code using the Installer class now is in lib/outdated.js, which is has a pending update coming soon. Prune and dedupe commands are awaiting top-level Arborist methods, so that they can be similarly tightened up. (For now, this commit just has them fail with a 'coming soon' message.) The last piece holding the 'install/*.js' code in this repo is that it is used in 'ls', 'fund', 'shrinkwrap', and the error-message util.
We buffer the output for scripts, and throw it away if the failure is not something we have to care about. But if we DO have to care about it, it's important to show it. This is a bare-minimum approach. The error handling stuff here could use a careful refactor, and it'd be nice if @npmcli/promise-spawn put something more definitive on the error it returns, so that we didn't have to duck-type it like this.
isaacs
force-pushed
the
isaacs/install-finish
branch
from
01300dd
to
56a688a
Compare
PR-URL: #1245 Credit: @isaacs Close: #1245 Reviewed-by: @ruyadorno
|
Landed on release/v7.0.0-beta. Thanks! |
Big red diff day!
Sorry for the massive drop. The main things going on here:
arborist.reify()have been ported to actually use Arborist (except forpruneanddedupethat are blocked by Arborist lacking those features for the moment.) That is: install, ci, rm, update, audit, audit fix.util/reify-output.jsmodule is added, which all of these call to produce consistent output after operation.npm auditis almost where it needs to be, but Arborist.audit() and npm-audit-report need to be made aware that bundled deps can't be fixed withnpm audit fix.npm audit fix, it'll print a full audit, so you don't have the annoying behavior of runningnpm audit fixand having it tell you to runnpm audit fixagain. (Also: it'll only suggest runningnpm audit fixif there's actually something that can be fixed, andnpm audit fixcan fix transitive meta-dependency issues no matter how deep!)npm shrinkwrapis updated to use Arborist, so that it will always update the shrinkwrap to the latest and greatest lockfileVersion.Unfortunately, we still can't fully remove the
lib/install/folder, because it's being used by ls, fund, andutil/error-message.js. But almost!Next up for pieces keeping lib/install/*.js and lib/fetch-package-metadata.js around:
prunein Arboristdedupein Arboristrebuildin Arborist (or, if not a top-level arborist method, implement it using Arborist.loadActual() and bin-links instead; but it really feels like it might be more under Arborist's charter than the cli's.)