-
-
Notifications
You must be signed in to change notification settings - Fork 357
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Oscillating package-lock.json
due to npm version upgrade to v7
#4177
Oscillating package-lock.json
due to npm version upgrade to v7
#4177
Comments
I've proposed two PRs for this, just to remind if we decide to go forward with this, probably we need to make an announcement in discussions or teams maybe sections so that people know beforehand although I think the error that they will get (if they are using npm v7) is quite self explanatory; 🤔
|
Good stuff, I faced the issue recently: |
The massive diffs on |
Ah, I didn't know it was already recorded on Slack; was always wondering why my
You are welcome. 😄 |
LTS is now 16.x, in a few weeks it will be 18.x, so here's a reminder to create this task(s) 😸 not that the upgrade is urgent, but it's good to have the task, and besides in my experience the new version of the package lock is actually more useful. |
We're usually happy to upgrade our node version to latest or latest LTS, but we always need to wait that Heroku and Vercel supports it. 16.x is currently blocked for months by Vercel, itself blocked by AWS, a bit sad situation: |
Describe the bug
This has been an issue I saw for a while where the
package-lock.json
file changes depending on thenode/npm
version that you use. An example would be the recent PR; https://github.com/opencollective/opencollective-frontend/pull/6155/files. The problem started when I think when some people in the @opencollective/core team started usingnpm v7
whereas others havenpm v6
.Now, note that
npm v7
has major upgrades to thepackage-lock.json
**file and uses thelockfileVersion=2
. However when someone executesnpm i
usingnpm v6
then thepackage-lock.json
file is downgraded to v1. This can be annoying as the package lock file will keep oscillating on whichnpm
version people use.Current LTS release of node (v14.16.1) ships with npm v6. And therefore my thinking is that we should not upgrade the npm version to v7; especially since we are keeping the node version at v14 as our supported version (same applies for api layer).
Thinking further I propose the following solution both for the front-end and api layer. We should make sure people use node 14.x and npm version 6.x and this should be strict (using the
engine-strict=true
on .npmrc file). One day when node 15.x becomes LTS we should have a task to migrate ourpackage-lock.json
file to version 2 or 3. 😄Let me know your thoughts of if you disagree with this. 😄
Expected behavior
Whenever a developer executes
npm i
the package-lock.json version (lockfileVersion) should stay the same regardless of what kindanode
ornpm
version they use as long as it falls within our supported Nodejs versions.The text was updated successfully, but these errors were encountered: