Canonicalize npm-shrinkwrap.json file contents for easier diffing #3398
Comments
In my experience the order stays the same; the issues come when upgrading between versions of npm, all of which seem to store slightly different metadata, thus making diffs generated between versions very differently. Has your experience been that the order, specifically, is rearranged? |
I've seen reordering but perhaps my process for updating is wrong. When we want to update all of our dependencies to the latest versions I delete the node_modules directory and npm-shrinkwrap.json, then run "npm install" followed by "npm shrinkwrap". The resulting shrinkwrap file is then diffed and checked in. |
Hmm OK, that sounds reasonable. I guess I just haven't seen that yet. In which case, +1, this would make a lot of sense. |
@derekcicerone What was the before and after in this case? |
The before and after? I'm not sure I understand your question. The shrinkwrap file lists out a bunch of modules and the ordering of the modules was significantly different when I last updated the file so comparing them wasn't very useful. If the modules were ordered by name, then the diff would likely be much more useful. |
This is probably related to the fact that the shinkwrap file uses a hash instead of an array, and key order in hashes is not guaranteed in JavaScript (in particularly not guaranteed in So this would kind of be a big change, requiring revamping the shrinkwrap format to use arrays instead of hashes :(. |
I see, that makes sense - its a limitation of the JSON stringification method being used. Sounds like its related to this: http://stackoverflow.com/questions/8931967/is-there-a-deterministic-equivalent-of-json-stringify |
@domenic In practice, insertion order is guaranteed. |
I don't seem to have an issue with ordering, but the metadata does appear to change every time someone on the project runs shrinkwrap, making it very difficult to read the diff. This time it was |
my npm version is 2.15.1 with node 4.4.2 and if I just run |
As of the most recent version of That said, there will be some further changes to shrinkwrap soon to incorporate support for shasums, and when we do that we may eliminate one or both of |
The shrinkwrap.json files currently seem to output modules somewhat randomly. It would be nice to have them canonicalized somehow (perhaps just by sorting the modules alphabetically by name) so that the file can be easily diffed to prior versions when the dependencies are updated.
The text was updated successfully, but these errors were encountered: