-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Plugin: Pin dependencies that slipped into trunk
#39865
Plugin: Pin dependencies that slipped into trunk
#39865
Conversation
accef3e
to
0fa0226
Compare
The only thing that comes to mind is whether or not this check:
would now detect any "legitimate" issues. |
Y
I don’t know about now, but in the past |
I believe that before with Is the intention of this step is to ensure Gutenberg is always using the latest version of If this is the case than Personally I prefer "concious" package updates and it's easy to ignore minor updates in unrelated areas of the code potentially messing things up. It's too easy to just go
So this would protect us only from dependencies for any reason not being available anymore not about new updates to lockfile being available. |
@tomasztunik, I don't think that what you described is the motivation for the CI check for the lock file. The project doesn't use ranges for npm dependencies so you shouldn't get random updates by running It's all about ensuring that the lock file is predictable and it looks the same for everyone. CI becomes the source of truth because for every PR it runs |
Ah this makes sense now. So the issue seems to be some packages have slipped the rule of having pinned versions.
and the dependency from linked broken PR is on this list. Should I roll back |
Good catch! I see now that some packages use ranges. Yes, I think it's a good idea and we should pin those dependencies. Maybe extending the CI check to prevent using ranges is a reasonable follow-up as that would prevent the issue in the first place. |
What do you think we update Also there is |
As long as it applies to the project, but not the individual WordPress packages then it would be a great addition 😄 |
trunk
we actually want to use npm install to detect wrong dependencies versioning
0fa0226
to
208531c
Compare
Will have to look into it bit more after hours and prepare the follow up if I found a good way to handle it, noticed that the setting is already in Pushed revert of Should #16157 be closed as having |
@@ -41,7 +41,7 @@ | |||
"js-yaml": "^3.13.1", | |||
"ora": "^4.0.2", | |||
"rimraf": "^3.0.2", | |||
"simple-git": "^2.35.0", | |||
"simple-git": "^3.5.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://github.com/steveukx/git-js/releases/tag/simple-git-v3.0.0
It doesn't look like there are breaking changea that could impact the project.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As mentioned here I actually tested it against our repo and it works good 👌.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We use simple-git
for example for publishing WordPress packages to npm so you couldn't test it. I wanted to ensure they didn't change any APIs. We will see this Friday 🤣
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From what I've seen to some extent wp-env
was also using it for setting things up - so was testing it on this end :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks good. Thank you for going through the whole process of finding the final solution.
I belive we should for now. We can reevaluate everything once we finally switch to npm 8. npm 6 had so many bugs that forced us to use this suboptimal solution in the first place.
It's nice to have. Maybe we can have something very simple that iterates over all dependencies and checks wheter it's a pinned version. |
Update
Leaving old reasoning for reference.
The error that we've seen that we have attempted to fix with change to
npm ci
fromnpm install
in theStatic Check
workflow was actually caused by unpinned dependency getting out of sync and causing errors with newpackage-lock
getting generated and exiting with an error because of that. Which is actually correct behaviour as packages should always have their versions pinned.I've pinned the offending packages to the versions that are currently in the package-lock and updated the comment on the workflow to make it more explicit that this is also the responsibility of this step.
What?
Revert Static Analysis workflow to use
npm ci
again.Fixes #16157
Blocks #39560
Why?
Because we've used npm intall - which regenerates
package-lock.json
- we've had a rare case of Static Analysis verification step fail on dependency update because before dependency PR was merged new version was released and newly created package-lock in the step did not match the one that was contributed by the dependabot. (Ref issue log).When issue that made us use
npm install
overci
was present travis used latest LTS available - which was Node v10. Now we are using Node v14 and in the meantime the issue withnpm ci
not reporting errors correctly got fixed.The problem mentioned in #16157 is not reproductible anymore and using
npm install
instead ofnpm ci
can cause another set of issues as documented above.How?
We are updating
.github/workflows/static-checks.yml
to use npm ci.Testing Instructions
As per #16157:
This should produce non zero output - verified to produce
1