Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Think carefully about how to consider npm shrinkwrap #51

Open
hickford opened this issue Jun 29, 2014 · 1 comment
Open

Think carefully about how to consider npm shrinkwrap #51

hickford opened this issue Jun 29, 2014 · 1 comment

Comments

@hickford
Copy link

I checked the David page for my package imgurgitate https://david-dm.org/hickford/imgurgitate . All the dependencies are status green. This surprised me, because I know if you install the package, you get some old versions of dependencies (underscore is now at 1.6.0 for example)

npm install imgurgitate

imgurgitate@0.1.0 node_modules\imgurgitate
├── underscore@1.4.4
├── wrench@1.4.4
├── optimist@0.3.5 (wordwrap@0.0.2)
├── iced-coffee-script@1.4.0-c
├── http-get@0.5.9 (buffer-concat@0.0.1, semver@1.1.4)
└── request@2.16.6 (aws-sign@0.2.0, forever-agent@0.2.0, tunnel-agent@0.2.0, oauth-sign@0.2.0, json-stringify-safe@3.0.0, cookie-jar@0.2.0, mime@1.2.9, node-uuid@1.4.0, qs@0.5.5, hawk@0.10.2, form-data@0.0.7)

Is David wrong?

What's really going on is the package has both a package.json and a npm-shrinkwrapped.json. Read https://www.npmjs.org/doc/cli/npm-shrinkwrap.html and http://blog.nodejs.org/2012/02/27/managing-node-js-dependencies-with-shrinkwrap/ for explanations

The package.json says "I don't require old software", but the shrinkwrap says "these are the versions of dependencies I was developed and tested against and I suggest you use". They happen to be old.

How David should treat that depends on its purpose. Is it always bad to install old software? Or only to mandate it? I don't know. What do you think?
@alanshaw
Copy link
Owner

Hey @hickford,

David looks at your package.json and tells you if your dependencies are up to date with respect to that. Since you have "*" as your dependency versions they can never become out of date. Hence David gives you the the green light (although the usefulness of this is questionable).

David doesn't consider shrinkwrapped dependencies at the moment, but perhaps it should. As a shrinkwrap user I'd be interested to know how you think david should deal with the situation. David is not a tool to tell people that they shouldn't be using old versions of software, it's there to give information about your project dependencies so you can make informed decisions on when to upgrade or not based on security issues, bug fixes, new features etc.

I suppose I'd be inclined to create another tab on the project page that lists shrinkwrapped dependencies and a different badge for it as well. You'd then still be able to experiment with versions in package.json but also know information about your shrinkwrapped dependencies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hickford @alanshaw