Support package-lock.json v3 in npm 7 #434
Conversation
|
|
||
| npm 7 introduces new features which aren’t compatible with older npm versions, such as workspaces. This makes npm 7 a minimum requirement for a project. | ||
|
|
||
| Both `package-lock.json` version 1 and 3 files can be huge. `package-lock.json` 2 is an intermediate format whose goal is to add backwards compatibility with `package-lock.json` version 1 and npm 6. It does so by writing both the dependency trees in the version 1 and 3 formats. This means the file is even twice as big as it needs to be. This also means the same change appears twice in a diff, but in a different format, meaning it needs to be reviewed twice. This is unnecessary if the minimal required npm version is 7. |
There was a problem hiding this comment.
| Both `package-lock.json` version 1 and 3 files can be huge. `package-lock.json` 2 is an intermediate format whose goal is to add backwards compatibility with `package-lock.json` version 1 and npm 6. It does so by writing both the dependency trees in the version 1 and 3 formats. This means the file is even twice as big as it needs to be. This also means the same change appears twice in a diff, but in a different format, meaning it needs to be reviewed twice. This is unnecessary if the minimal required npm version is 7. | |
| Both `package-lock.json` version 1 and 2 files can be huge. `package-lock.json` 2 is an intermediate format whose goal is to add backwards compatibility with `package-lock.json` version 1 and npm 6. It does so by writing both the dependency trees in the version 1 and 3 formats. This means the file is even twice as big as it needs to be. This also means the same change appears twice in a diff, but in a different format, meaning it needs to be reviewed twice. This is unnecessary if the minimal required npm version is 7. |
?
There was a problem hiding this comment.
Nope, I meant versions 1 and 3. Version 2 includes both, which makes it even bigger.
|
Instead of letting the user control this, could it pivot based on the |
I didn’t think of that, but this is an interesting idea. I think the original proposal is better though, because:
Another idea might be to reuse the # Don’t write package-lock.json at all
package-lock=false
# Write package-lock.json version 1
package-lock=v1
# Write package-lock.json version 2
package-lock=v2
# Write package-lock.json version 3
package-lock=v3
# Write the package-lock.json version npm thinks is best (default behaviour, equal to v2 for npm 7)
package-lock=true |
|
|
||
| ## Rationale and Alternatives | ||
|
|
||
| 1. A command line flag could be supported instead of an option in `.npmrc`. However, typically one would want to support this on a project level. |
There was a problem hiding this comment.
My understanding is that typically command line flags are also usable in .npmrc - so supporting npm install --package-lock-version=<number> would also allow you to use package-lock-version=<number> in .npmrc.
IMO the path of both is ideal.
|
I particularly like the recommendation to extend the |
|
Removing |
|
We should definitely not make Mixed-type configs are an antipattern. |
This will tell Arborist to save an appropriate lockfile based on the version specified. Version 3 = packages section only Version 2 = packages and dependencies sections (default) Version 1 = dependencies section only (legacy npm v6 support) Re: npm/rfcs#434
This will tell Arborist to save an appropriate lockfile based on the version specified. Version 3 = packages section only Version 2 = packages and dependencies sections (default) Version 1 = dependencies section only (legacy npm v6 support) Re: npm/rfcs#434
|
Suggestions:
This means:
Open question: in the absence of a default lockfileVersion setting, should Arborist use a v3 lockfile if it sees one? It seems a bit weird to have it roll back to v2 if you've already pushed forward. (In the PR as it stands now, it'll always use the setting provided, so if you |
|
@isaacs Looks good to me! Just let me know if I need to update the proposal.
I believe Arborist should always default to lockfile v2 for now for backwards compatibility. This should then be reconsidered for npm 8. |
Right, but the use case I'm imagining is: If the lockfile is already v3, maybe we should default to that, rather than downgrading it? |
|
It would seem like a bug to me if it downgrades it or upgrades it implicitly. |
Agree. Not only would it be a buggy experience, it would be excessively noisy in git diffs which is both a good way to make people more desensitized to package-lock file changes even more than they already are. |
"Upgrade it implicitly" is what we already do. The v1 lockfile doesn't have all the information we need to fully construct the tree, meaning that installs are slower and less deterministic, don't track changes in link targets, etc. But downgrading implicitly definitely seems like the wrong thing to do, since you must have opted into the new version explicitly to be in that state. |
|
upgrading from v1 to v2, i understand for the reasons you describe; but from v2 to v3? |
PR-URL: #434 Credit: @remcohaszing Close: #434 Reviewed-by: @isaacs EDIT(@isaacs): updated to reflect where the discussion on this feature landed in open RFC meetings, and add implementation details.
This will tell Arborist to save an appropriate lockfile based on the version specified. Version 3 = packages section only Version 2 = packages and dependencies sections (default) Version 1 = dependencies section only (legacy npm v6 support) Re: npm/rfcs#434
Upgrading from the default version to a higher version should never happen implicitly. But if you already explicitly set it to a higher version, we shouldn't downgrade to the default. |
This will tell Arborist to save an appropriate lockfile based on the version specified. Version 3 = packages section only Version 2 = packages and dependencies sections (default) Version 1 = dependencies section only (legacy npm v6 support) Re: npm/rfcs#434
Depends on @npmcli/arborist@4.0.0 Re: npm/rfcs#434
Depends on @npmcli/arborist@4.0.0 Re: npm/rfcs#434
Depends on @npmcli/arborist@4.0.0 Re: npm/rfcs#434 PR-URL: #3880 Credit: @isaacs Close: #3880 Reviewed-by: @wraithgar
Depends on @npmcli/arborist@4.0.0 Re: npm/rfcs#434 PR-URL: #3880 Credit: @isaacs Close: #3880 Reviewed-by: @wraithgar
|
Which version of npm 7 started to support lockfileVersion v3? |
|
The initial support for lockfile version 3 had some bugs. It’s been usable in practice since npm version 8.1.2. |
npm 7 introduces new features which aren’t compatible with older npm versions, such as workspaces. This makes npm 7 a minimum requirement for a project.
Both
package-lock.jsonversion 1 and 3 files can be huge.package-lock.json2 is an intermediate format whose goal is to add backwards compatibility withpackage-lock.jsonversion 1 and npm 6. It does so by writing both the dependency trees in the version 1 and 3 formats. This means the file is even twice as big as it needs to be. This also means the same change appears twice in a diff, but in a different format, meaning it needs to be reviewed twice. This is unnecessary if the minimal required npm version is 7.References
Related to npm/feedback#517