RFC: Remove --depth from npm outdated #133
Conversation
darcyclarke
added
Agenda
There was a problem hiding this comment.
This is good, and we can discuss a bit more in today's RFC call. I think one thing to clarify is what exactly would show in each column.
Presenting some kind of proposal to chew on would be useful. It's especially confusing that "location" here is "the path in the dependency graph to the thing that depends on the node" and not "the location of the node".
I'd suggest each line could be:
PackageName of the nodeCurrentNode current versionWantedMost up to date version that satisfies eachedgesInEdgeLatestLatest version in the packumentLocationThenode.locationof the node (not the dependent)
And then group by each combination of wanted+location. So, you might see something like this, which is a little weird, but shows that the deduped package may have to get un-deduped:
Package Current Wanted Latest Location
bar 1.0.0 1.4.0 2.0.0 node_modules/bar
bar 1.0.0 2.0.0 4.0.0 node_modules/bar
| ## Rationale and Alternatives | ||
| Since `npm update` will go ahead and update everything at any level, maybe there's no need to know in detail which nested dependencies are outdated and we could just show a message that certain top-level dependency has outdated deps. | ||
|
|
||
| We could also remove all-together the functionality if people are not paying much attention to outdated nested deps, Yarn only displays top-level outdated packages. |
There was a problem hiding this comment.
Would be worth adding a not here that "depth" doesn't have a clear meaning in the context of a dependency graph over a deduplicated tree, since the same node will often be reachable via multiple different dependency paths. (Ie, the same issue brought up in https://github.com/npm/rfcs/blob/latest/accepted/0019-remove-update-depth-option.md)
|
|
||
| In this example, we only care about two versions of `tar`, `4.4.13` and `6.0.2`. Instead we are shown 4 lines of output. | ||
|
|
||
| Moreover, npm v6 currently has inconsistent behavior. Doing `npm outdated --depth 9999` displays all outdated packages that are direct children of the root package, missing out dependencies that are nested at other levels. This gives a wrong impression since we are not really displaying _all_ outdated dependencies of the tree. However, doing `npm outdated foo --depth 9999`, will indeed display all appearances of `foo` on the tree no matter if they are direct children of the root package or not. This is precisely the functionality that displaying all deps should have too (`npm outdated` with no flags). |
There was a problem hiding this comment.
Doing
npm outdated --depth 9999displays all outdated packages that are direct children of the root package, missing out dependencies that are nested at other levels. This gives a wrong impression since we are not really displaying all outdated dependencies of the tree.
I don't think that's the case, unless I'm misreading this maybe? npm outdated --depth=9999 includes this output, for example:
log-update 3.4.0 3.4.0 4.0.0 npm-audit-report > tap > ink
log-update 3.4.0 3.4.0 4.0.0 npm-audit-report > tap > treport > ink
There was a problem hiding this comment.
I think in that case that particular dependency is being deduped and is indeed a direct child of your root package, dependencies that are not deduped and are nested within their own dependant, do not seem to show up when doing only npm oudated --depth 9999 but DO show up when you do npm oudated --depth 9999 <packageName>.
There was a problem hiding this comment.
Hm, it's not though. log-update is a dependency of ink, and my package depends on tap, which depends on ink.
$ find node_modules -name log-update
node_modules/tap/node_modules/log-update
It is a good example of the fact that --depth is pretty weird when talking about a dependency graph, though. It looks like I have two outdated versions of log-update, when really they're the same dep node.
There was a problem hiding this comment.
Yeah, correct. The thing is that log-update is a direct child of tap. So I misphrased that by saying the command shows only direct children of the root package when I meant to say that the v6 algorithm is iterating recursively over the node's direct children (on the file system) instead of over node.edgesOut.
Try doing npm outdated --depth 9999 ansi-escapes (basically any specific dep inside node_modules/tap/log-update/node_modules) and you'll see they are not displayed when calling outdated without a package-name.
Using tree.inventory and node.edgesIn on v7 will definitely solve this problem and properly give us a complete list of all outdated packages.
|
The addition of |
|
Update from RFC call: Worth considering if we could make |
|
Definitely the ideal default for |
claudiahdz
force-pushed
the
claudiahdz/outdated-depth
branch
from
d544e60
to
b35e667
Compare
|
are there any breaking changes expected for the |
|
@ruyadorno No, the only thing to note is that the location info has changed and is now |
|
After continued discussion, removing this concern for now in lieu of better support for this via direct libraries. |
cc. @isaacs