New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
In shrinkwrap.yaml deps of deps can be locked to a version which doesn't satisfy the package.json semver #634
Comments
why should it satisfy the parent deps package.json? it should satisfy only the package.json which requires the dependency.
steps to reproduce would be helpful. If it happens, it is a bug for sure |
That's what I meant. I will try to reproduce it in a small project. |
Reproduced. pnpm v0.58.0
Aside: Is shrinkwrap used during installation at present, or is it just written to as a record? |
Thanks for the steps shrinkwrap is reused. It is not just for a record. |
So to confirm, when there is a shrinkwrap file present, when I Is it possible to update a single package's dependencies without nuking the shrinkwrap file? |
Just tested - when I modify the version of a dep of a dep in |
oh, right, so currently pnpm always tries to update the top dependencies, when doing For the lower deps shrinkwrap is respected though, unless the |
BREAKING CHANGE: shrinkwrap format changed Close #634
BREAKING CHANGE: shrinkwrap format changed Close #634
BREAKING CHANGE: shrinkwrap format changed Close #634
This behavior is confusing, I'll change it so that shrinkwrap will be respected for the top level dependencies as well |
So to clarify the proposed behaviour: When I If I want to update all my deps, I must delete the shrinkwrap file. If I want to update a single dep and its deps, I can run The only case that seems to be not possible is: updating deps of deps but not the dep itself. But I don't think this is a common case tbh. Maybe a FAQ of this functionality would be useful. Something like: How do I ensure that the same dependency tree is used every time
|
Well, you can also update all the top-level deps using
I would personally make it infinity by default.. Of course, I agree that this should be documented. |
Fix landed in v0.60.0 |
I encountered an issue where
lodash@3
was saved in theshrinkwrap.yaml
for a module that requiredlodash@4
. I had to remove theshrinkwrap.yaml
file to fix it.How does pnpm make use of the shrinkwrap file?
Does it ensure that the deps of deps satisfies the parent deps package.json dependencies semver?
The text was updated successfully, but these errors were encountered: