New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please lock down your dependencies. #8180
Comments
To follow up on this, the primary issue is that the |
I don't think it is up to Sequelize to lock down it's dependencies. If as a user you want to lock down your dependencies after installing a dependency you should either move to npm5 or create a shrinkwrap |
I see now that @sushantdhiman maybe validator.js should be kept at v6 until the next major release ? |
The main issue I see here is that sequelize is using |
Some of this cant be avoided, if a module dependency is using a similar pattern for example, but this package could at the very least try to mitigate some of that by using exact module versions in its dependencies. |
It can be fully avoided if you use shrinkwrap (newer version of npm do it by default) - It is up to you as a user of packages to lockdown your dependencies. If some Sequelize v5 is published today with v1.0.2 of module X and tomorrow v1.0.3 of version x is released including bugfixes and performance improvements without any breaking changes there is no reason for users installing Sequelize not getting the better performance of the newer version. If Sequelize will lock it down all packages will be stale very quickly and a new version will need to be released each time a dependency is fixing it's bugs. But if you do it yourself by utilizing NPM (as you should) you won't have this issues and you'll be free to upgrade when you decide to. |
I expect any package to keep its dependencies up to date and but at same time don't introduce any breaking / unexpected changes. Doing a major every time package try to update dependencies is not ideal either. So I try to update dependencies if we can patch them to have desired behavior. Most of these updates are minor (not patch). When working on #8159 , I went through I am not sure what issue @sorensen faced, but if it was mentioned in changelog, I would have covered it. But regardless if there is a breaking change, just let me know how to reproduce it. I will try to patch it, to conform to semver behavior. |
@sushantdhiman It's easy to reproduce, try to insert an object of type Number into a sequelize string field. It will throw a validation error. |
@yonjah We are using npm shrinkwrap, and have been using sequelize version |
Hmm, which version you updated from, what is your current version @sorensen |
The version has not changed. Still using |
@sorensen I dont think npm allow republishing a already published version, neither I have changed any dependencies nor anything else in v3. Are you sure validator.js was not updated by other dependencies. There is no new v3 version released in ages |
Again, this comes back to locking down packages in the module. Any install of this module will produce different results over time because it is using For a more extreme example, imagine if the package.json was all |
But this dependency inconsistency issue is exactly what shrinkwrap is
supposed to solve.
Has your shrinkwrap file stayed the same between the installs?
…On 24 Aug. 2017 11:11 pm, "Beau Sorensen" ***@***.***> wrote:
Again, this comes back to locking down packages in the module. Any install
of this module will produce different results over time because it is using
^1.0.0 type versioning for dependencies.
For a more extreme example, imagine if the package.json was all *
versions.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#8180 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABvrnY9rxM1qU28E5e_aJrNM6x3SndoCks5sbZKOgaJpZM4PAxwg>
.
|
@sorensen Your npm and node version ? |
@yonjah Agreed, it is, we had the misfortune of needing to re-roll the npm-shrinkwrap file and is what caused the new sub-module versions. This could have been solved by hand editing the shrinkwrap file itself, or in our case updating the breaking code. This is not an issue that needs help fixing on my end, it is a complaint / suggestion to lock down module versions exactly and not use wildcard versioning, so that the issues described above don't continue to happen for others when re-rolling the shrinkwrap file, or for those who don't use one. |
As a package locking all dependencies to exact version is not practical as they tend to become outdated very soon. I think |
Yeah, this isn't a package locking issue. You have a bug because validators.js has a bug. If someone starts a new project and uses sequelize, this will be an issue for them. Is your resolution for those people to version lock, then go edit the version to a previous version of validators.js that works with sequelize? |
As of the last few installs of this package of the same version, I have gotten different sub-modules and behavior. Primarily with
validators.js
, whatever module that may be.Please, lock down your packages so that the rest of us don't all have different code running for the same versions of this module.
Sorry if this is coming off in a negative light, I am just fairly frustrated to have introduced changes into my projects without changing versions of this project.
The text was updated successfully, but these errors were encountered: