This repository has been archived by the owner. It is now read-only.

npm shrinkwrap --production #11189

Closed
natew opened this Issue Jan 17, 2016 · 11 comments

Comments

Projects
None yet
6 participants
@natew

natew commented Jan 17, 2016

I have a module that has devDependencies. When i npm shrinkwrap it fails with extraneous errors.

It seems for now my only option is to manually remove the devDependencies fields and modules before releasing, and then add them back in after.

I searched around a bit and see some related tickets, but nothing suggesting this. I would think the npm shrinkwrap would ignore devDependencies by default, and write out shrinkwrap with just the regular ones. But at least having a --production option would let us build the shrinkwrap without the devDeps included.

@cchamberlain

This comment has been minimized.

Show comment
Hide comment
@cchamberlain

cchamberlain Jan 17, 2016

@natew: This set of scripts is working pretty well for me using @iarna in-publish module as a prod dependency:

    "release-patch": "npm version patch && npm publish",
    "postversion": "npm rm history",
    "prepublish": "in-publish && npm dedupe && npm prune --production=false && npm shrinkwrap || not-in-publish",
    "postpublish": "rimraf npm-shrinkwrap.json && git push --follow-tags",

Only issues I've had lately with extraneous was the history module (react-bootstrap/react-bootstrap#1395) and when I was attempting to shrinkwrap one of my libraries and then shrinkwrap that into my app which is a bad idea.

If you see history as one of them try sticking an npm postversion remove step like I did.

If my understanding of shrinkwrap is correct, it shouldn't include your dev dependencies, but it will include your prod dependencies => dev dependencies.

@natew: This set of scripts is working pretty well for me using @iarna in-publish module as a prod dependency:

    "release-patch": "npm version patch && npm publish",
    "postversion": "npm rm history",
    "prepublish": "in-publish && npm dedupe && npm prune --production=false && npm shrinkwrap || not-in-publish",
    "postpublish": "rimraf npm-shrinkwrap.json && git push --follow-tags",

Only issues I've had lately with extraneous was the history module (react-bootstrap/react-bootstrap#1395) and when I was attempting to shrinkwrap one of my libraries and then shrinkwrap that into my app which is a bad idea.

If you see history as one of them try sticking an npm postversion remove step like I did.

If my understanding of shrinkwrap is correct, it shouldn't include your dev dependencies, but it will include your prod dependencies => dev dependencies.

@natew

This comment has been minimized.

Show comment
Hide comment
@natew

natew Jan 17, 2016

@cchamberlain trying to understand this, but does this just remove the shrinkwrap if it fails?

My ideal is: it shrinkwraps just the dependencies, ignores the devDependencies. I want the regular deps shinkwrapped though.

For now I've scripted around it but it's less simple than just removing it.

natew commented Jan 17, 2016

@cchamberlain trying to understand this, but does this just remove the shrinkwrap if it fails?

My ideal is: it shrinkwraps just the dependencies, ignores the devDependencies. I want the regular deps shinkwrapped though.

For now I've scripted around it but it's less simple than just removing it.

@cchamberlain

This comment has been minimized.

Show comment
Hide comment
@cchamberlain

cchamberlain Jan 18, 2016

@natew - I have npm-shrinkwrap.json in my .gitignore along with all my other built files but if I didn't this would ensure that it does not get committed to git. I also exclude my src directory from what I publish to npm via package.json files node. The only time I want the npm-shrinkwrap.json is when I'm actually publishing, and after that I discard it since its been published to npm with the package version. Having shrinkwrap sitting around in the package while you're developing gets very annoying since it messes up npm installs.

I'm following @iarna's guide here -> https://re-becca.org/2015/01/publish-only-shrinkwrap/

@natew - I have npm-shrinkwrap.json in my .gitignore along with all my other built files but if I didn't this would ensure that it does not get committed to git. I also exclude my src directory from what I publish to npm via package.json files node. The only time I want the npm-shrinkwrap.json is when I'm actually publishing, and after that I discard it since its been published to npm with the package version. Having shrinkwrap sitting around in the package while you're developing gets very annoying since it messes up npm installs.

I'm following @iarna's guide here -> https://re-becca.org/2015/01/publish-only-shrinkwrap/

@natew

This comment has been minimized.

Show comment
Hide comment
@natew

natew Jan 18, 2016

I too have it in gitignore. The guide is nice but that doesn't solve my problem.

Basically have this package.json:

{ "devDependencies": { "reapp-ui": "1.0.0" } }

npm install

Now you run npm shrinkwrap you get an error "extraneous". So what can you do to avoid having to wipe out node_modules and reinstall every time you shrinkwrap?

natew commented Jan 18, 2016

I too have it in gitignore. The guide is nice but that doesn't solve my problem.

Basically have this package.json:

{ "devDependencies": { "reapp-ui": "1.0.0" } }

npm install

Now you run npm shrinkwrap you get an error "extraneous". So what can you do to avoid having to wipe out node_modules and reinstall every time you shrinkwrap?

@cchamberlain

This comment has been minimized.

Show comment
Hide comment
@cchamberlain

cchamberlain Jan 27, 2016

@natew Do you use npm prune --production=false?

That is meant to wipe out all extraneous dependencies, using explicit false ensures it will keep the dev dependencies even if NODE_ENV is production in your environment. It will not remove optional dependencies so you'd have to remove those with a custom build step. Not sure if you've been using this already.

@natew Do you use npm prune --production=false?

That is meant to wipe out all extraneous dependencies, using explicit false ensures it will keep the dev dependencies even if NODE_ENV is production in your environment. It will not remove optional dependencies so you'd have to remove those with a custom build step. Not sure if you've been using this already.

@shinout

This comment has been minimized.

Show comment
Hide comment
@shinout

shinout May 26, 2016

npm prune --production
npm shrinkwrap

This satisfies the requirement to omit all dev-dependent modules in npm-shrinkwrap.json.

shinout commented May 26, 2016

npm prune --production
npm shrinkwrap

This satisfies the requirement to omit all dev-dependent modules in npm-shrinkwrap.json.

@natew

This comment has been minimized.

Show comment
Hide comment
@natew

natew May 26, 2016

natew commented May 26, 2016

@cchamberlain

This comment has been minimized.

Show comment
Hide comment
@cchamberlain

cchamberlain May 26, 2016

npm prune --production would require you to reinstall all dev dependencies again, yes. Don't like this solution since the build time gets blown up.

Would be nice if there was something like npm archive --production --shrinkwrap <path/to/archive> that would do all of this and export the result to a separate directory and leave the build directory intact.

npm prune --production would require you to reinstall all dev dependencies again, yes. Don't like this solution since the build time gets blown up.

Would be nice if there was something like npm archive --production --shrinkwrap <path/to/archive> that would do all of this and export the result to a separate directory and leave the build directory intact.

@shinout

This comment has been minimized.

Show comment
Hide comment
@shinout

shinout Jun 4, 2016

On npm v2,

  • npm shrinkwrap omits dev-dependent modules
  • wrongly omits dev-dependent modules which are sub-dependent

On npm v3,

  • npm shrinkwrap includes some (not all) of dev-dependent modules
  • after npm prune --production, it's ok

Currenlty, the following process is the only way to get the correct result on npm >=v2.

rm -rf node_modules
npm install --production
npm shrinkwrap

I hope this would be fixed.

shinout commented Jun 4, 2016

On npm v2,

  • npm shrinkwrap omits dev-dependent modules
  • wrongly omits dev-dependent modules which are sub-dependent

On npm v3,

  • npm shrinkwrap includes some (not all) of dev-dependent modules
  • after npm prune --production, it's ok

Currenlty, the following process is the only way to get the correct result on npm >=v2.

rm -rf node_modules
npm install --production
npm shrinkwrap

I hope this would be fixed.

shinout added a commit to CureApp/node-circleci-autorelease that referenced this issue Jun 4, 2016

@vincentwoo

This comment has been minimized.

Show comment
Hide comment
@vincentwoo

vincentwoo Jun 28, 2016

I believe shrinkwrap with devDependencies on npm 3 is broken. Right now it tries to do things like:

npm WARN shrinkwrap Excluding devDependency: yargs@4.7.1 { bugsnag: '*',

But this check is very naive. It does not check if packages were pulled in by devDependencies, and so there are many extraneous entries in the shrinkwrap.

I believe shrinkwrap with devDependencies on npm 3 is broken. Right now it tries to do things like:

npm WARN shrinkwrap Excluding devDependency: yargs@4.7.1 { bugsnag: '*',

But this check is very naive. It does not check if packages were pulled in by devDependencies, and so there are many extraneous entries in the shrinkwrap.

@npm-robot

This comment has been minimized.

Show comment
Hide comment
@npm-robot

npm-robot Jun 19, 2017

We're closing this issue as it has gone thirty days without activity. In our experience if an issue has gone thirty days without any activity then it's unlikely to be addressed. In the case of bug reports, often the underlying issue will be addressed but finding related issues is quite difficult and often incomplete.

If this was a bug report and it is still relevant then we encourage you to open it again as a new issue. If this was a feature request then you should feel free to open it again, or even better open a PR.

For more information about our new issue aging policies and why we've instituted them please see our blog post.

We're closing this issue as it has gone thirty days without activity. In our experience if an issue has gone thirty days without any activity then it's unlikely to be addressed. In the case of bug reports, often the underlying issue will be addressed but finding related issues is quite difficult and often incomplete.

If this was a bug report and it is still relevant then we encourage you to open it again as a new issue. If this was a feature request then you should feel free to open it again, or even better open a PR.

For more information about our new issue aging policies and why we've instituted them please see our blog post.

@npm-robot npm-robot closed this Jun 19, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.