Deps correctness #505
Deps correctness #505
Conversation
| "zipkin": "^0.21.0" | ||
| }, | ||
| "devDependencies": { | ||
| "body-parser": "^1.15.2", | ||
| "express": "^4.17.1", |
There was a problem hiding this comment.
I am curious about this one, I know this is required in the test but how come tests don't complain?
There was a problem hiding this comment.
My guess is as it is lerna, expressjs was coming from the global package.json
There was a problem hiding this comment.
deleted express as it is in global package json
03c84c6
| @@ -16,16 +16,16 @@ | |||
| "@types/request": "^2.0.8" | |||
| }, | |||
| "dependencies": { | |||
| "asap": "^2.0.6", | |||
There was a problem hiding this comment.
👍 I think using 2.0.4 is enough https://github.com/kriskowal/asap/blob/master/CHANGES.md
There was a problem hiding this comment.
Jose, I set the version 03c84c6
but what is the point of fixing patch version?
There was a problem hiding this comment.
Sorry I meant ^2.0.4 but ^2.0.6 is a patch so probably this is good enough 👍
| @@ -14,12 +14,13 @@ | |||
| "license": "Apache-2.0", | |||
| "repository": "https://github.com/openzipkin/zipkin-js", | |||
| "dependencies": { | |||
| "node-fetch": "^2.6.0", | |||
There was a problem hiding this comment.
I am kind of concerned about this version constraint. I checked node-fetch api and nothing stop us to use version 1.4.0 for example since it support all the options we use. In the other hand, version 3.x is going to break us. I feel like we could support ^1.4 and ^2.0? What do you think. I don't want us to force users to upgrade their node-fetch because of zipkin.
There was a problem hiding this comment.
why do you think this package uses 1.4.0 ? I moved this package from version 2.3 to 2.6
you suggest to fix it here as ^2.0.0?
There was a problem hiding this comment.
why do you think this package uses 1.4.0 ? I moved this package from version 2.3 to 2.6
you suggest to fix it here as ^2.0.0?
I think you could specify it as >=2.0.0 < 3.0.0 (could also be that simply 2.x expresses the same thing but don't quote me on that, I've slipped up with semver constraints before)
Could also be >=1.4.0 < 3.0.0 to include the 1.4.0 version as @jcchavezs mentioned
There was a problem hiding this comment.
Did I get it right that ^2.0.0 will be fine for everyone?
There was a problem hiding this comment.
Did I get it right that ^2.0.0 will be fine for everyone?
Would be fine by me personally because I don't use old node-fetch (v1.4.x) at all.
There was a problem hiding this comment.
Yeah, my main concern are those using 1.4.x already that want to use zipkin-js, will that force them to use node-fetch 2.x then? In the other hand I think that since this is not a breaking change because we are just adding the dependency it is fine to keep ^2.0.0. Any thoughts @adriancole?
There was a problem hiding this comment.
Yeah, my main concern are those using 1.4.x already that want to use zipkin-js, will that force them to use node-fetch 2.x then?
In the other hand I think that since this is not a breaking change because we are just adding the dependency it is fine to keep ^2.0.0. Any thoughts @adriancole?
If they want to upgrade to the newer version of zipkin-js, then yes, they will be forced to update node-fetch from 1.4.x to at least 2.x.
So, in this sense, this is a breaking change and should be accompanied by a major version bump on the version of zipkin-js itself.
Basically it's like this: If you previously did not restrict a peer dependency version, but now you do, then it is a breaking change for those who are suddenly out of compliance with their dependency version.
If it were released as a minor/patch version bump then it might break builds for some, if they had minor/patch version auto upgrade specified in their zipkin-js version in the package.json dependencies section. This is how builds of projects with npm dependency management can break overnight seemingly all by themselves without anyone changing anything in the source code.
So, I'd say it needs a major release.
That way people who are upgrading their zipkin-js will know to "expect trouble" and those who specified to only auto-update patch/minor versions won't get a sudden and unexpected breakage.
People who specified to auto-upgrade even major versions and use node-fetch 1.4.x will still have their build break overnight, but they chose to live on the bleeding edge so there's nothing you can do about that.
There was a problem hiding this comment.
Thanks for the explanation @petermetz, if that is the case then let's do >=1.4.0 < 3.0.0 so we don't break anyone. We are not likely doing a major release for this change.
| @@ -16,16 +16,16 @@ | |||
| "@types/request": "^2.0.8" | |||
| }, | |||
| "dependencies": { | |||
| "asap": "^2.0.6", | |||
| "request": "^2.88.2", | |||
| "request-promise": "^4.2.5", | |||
There was a problem hiding this comment.
I am not sure about this one. It feels like CLS is not supported in v4: https://github.com/request/request-promise#migration-from-v3-to-v4
Do you have any idea?
There was a problem hiding this comment.
I moved it from devDeps v 4.2.2 to deps 4.2.5
where is v3?
There was a problem hiding this comment.
Yeah, right. Ignore this one.
|
Thanks for this. I added some comments. I know you are just moving devDeps into deps but that means we will impact user's code and hence it is worth taking the time to look at the deps we are aiming to introduce to our users. |
There was a problem hiding this comment.
I opened #506 request to improve how deps are organized- may be this PR should be delayed until that one?
| @@ -14,12 +14,13 @@ | |||
| "license": "Apache-2.0", | |||
| "repository": "https://github.com/openzipkin/zipkin-js", | |||
| "dependencies": { | |||
| "node-fetch": "^2.6.0", | |||
There was a problem hiding this comment.
why do you think this package uses 1.4.0 ? I moved this package from version 2.3 to 2.6
you suggest to fix it here as ^2.0.0?
| @@ -16,16 +16,16 @@ | |||
| "@types/request": "^2.0.8" | |||
| }, | |||
| "dependencies": { | |||
| "asap": "^2.0.6", | |||
| "request": "^2.88.2", | |||
| "request-promise": "^4.2.5", | |||
There was a problem hiding this comment.
I moved it from devDeps v 4.2.2 to deps 4.2.5
where is v3?
|
Once this one https://github.com/openzipkin/zipkin-js/pull/505/files#r432086456 is sorted we can merge it and do a release. |
… Deps-correctness � Conflicts: � yarn.lock
|
Thanks a lot @mikhailrojo ! |
I moved libraries which are required in code in deps from devDeps and add commas to readme.
Closes #491