You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I checked the David page for my package imgurgitate https://david-dm.org/hickford/imgurgitate . All the dependencies are status green. This surprised me, because I know if you install the package, you get some old versions of dependencies (underscore is now at 1.6.0 for example)
The package.json says "I don't require old software", but the shrinkwrap says "these are the versions of dependencies I was developed and tested against and I suggest you use". They happen to be old.
How David should treat that depends on its purpose. Is it always bad to install old software? Or only to mandate it? I don't know. What do you think?
The text was updated successfully, but these errors were encountered:
David looks at your package.json and tells you if your dependencies are up to date with respect to that. Since you have "*" as your dependency versions they can never become out of date. Hence David gives you the the green light (although the usefulness of this is questionable).
David doesn't consider shrinkwrapped dependencies at the moment, but perhaps it should. As a shrinkwrap user I'd be interested to know how you think david should deal with the situation. David is not a tool to tell people that they shouldn't be using old versions of software, it's there to give information about your project dependencies so you can make informed decisions on when to upgrade or not based on security issues, bug fixes, new features etc.
I suppose I'd be inclined to create another tab on the project page that lists shrinkwrapped dependencies and a different badge for it as well. You'd then still be able to experiment with versions in package.json but also know information about your shrinkwrapped dependencies.
I checked the David page for my package imgurgitate https://david-dm.org/hickford/imgurgitate . All the dependencies are status green. This surprised me, because I know if you install the package, you get some old versions of dependencies (underscore is now at 1.6.0 for example)
Is David wrong?
What's really going on is the package has both a
package.json
and anpm-shrinkwrapped.json
. Read https://www.npmjs.org/doc/cli/npm-shrinkwrap.html and http://blog.nodejs.org/2012/02/27/managing-node-js-dependencies-with-shrinkwrap/ for explanationsThe package.json says "I don't require old software", but the shrinkwrap says "these are the versions of dependencies I was developed and tested against and I suggest you use". They happen to be old.
How David should treat that depends on its purpose. Is it always bad to install old software? Or only to mandate it? I don't know. What do you think?
The text was updated successfully, but these errors were encountered: