Lerna is largely unmaintained #2703
Comments
|
Thanks for bringing this up @MikeActually |
|
as partially documented at #2680 . I have contacted NPM regarding the degree to which this project is maintained and indicated that there may be an ask to add maintainers to the package in NPM, so that security issues can be addressed. There was a reply from @hzoo that sounded like it was unlikely that this package would have maintainers added nor would be prioritized for support. There is some concern that adding maintainers would/could result in a security issue (which I agree with), but what I disagree with is the thought that not maintaining this package implies that would not result in security issues (it will if existing code is discovered to be exploitable, or the package winds up being incompatible with a future version of nodejs). @hzoo indicated that he would contact @evocateur on the matter. He also indicated that if desired, there should be a fork of this (if someone wants to take that on, that is definitely an option) I responded suggesting that there are inherent risks of doing nothing, too and that forking may not be responsible for such a large customer base. I also indicated that Stackstorm looks like a company that depends on this package extensively, and might be worth contacting for long term support. I also indicated that it's clear that there needs to be some effort to identify maintainers for this project, instead of just updating it now and then. |
|
I also wanted to mention #1172 to show that support has been difficult to find for close to 2 years on this package, yet, I haven't seen much of an effort to seek out additional maintainers. Currently, all maintenance must go through @evocateur , since he is most familiar with the project and is one of two people with access to publish changes. Would love to hear what would be acceptable from the owners of this project to help find a LTS model for this package, instead of relying on 1 person to contribute to it in their free time. |
|
Would financial support help? |
|
@romainmenke - my correspondence with NPM and @evocateur and @hzoo led me to believe that beyond financial support, having additional resources dedicate time to maintaining this would be helpful. I'm not sure how @evocateur would like to coordinate getting more contributors involved. I see PRs sitting for a long amount of time, maybe contributors can begin providing their own feedback on PRs. I think @evocateur would be best to dictate how support can be improved, and how people can help. He also indicated that people can fork this library, if they wish, but I think that becomes problematic, in some ways, but, if it seems like the limited support is a long term problem, having a larger degree of ownership seems like it would definitely help, considering the breadthof use of this module. |
This comment has been minimized.
This comment has been minimized.
|
@MikeActually - Yes forking would be problematic. In the long term it would do more harm than good. @zkochan Sorry to say that this is way of topic :) |
This comment has been minimized.
This comment has been minimized.
|
EDIT: @zkochan
i very much agree with that continuing my comment
While the afformentioned managemant problem is plenty reason to me to not get engaged in this repository, there are a handfull of thing which make this project not very attractive to work on for me. (spoiler: i'm not the most convenient person to work with because of always working in an esnext environment)
|
|
I don't really have a say in all of this, but I don't see suggesting alternatives as being unrelated. If nobody is willing to fork, the maintainers do not work toward getting additional support involved, or nobody is willing to contribute to being that additional support, then, I think, there is nothing left but to offer alternatives. Personally, I just see this as an obstacle for orgs that depend on this library and it's being flagged as a security concern. I'm just trying to keep the conversation going because I feel for those people, and it seems like nothing was happening here. I really think the maintainers need to get involved here. Really unsettling that literally nothing has been said in here for months. I know the 1 email I received definitely gave the impression that this project was not worth the time, in that case, I wish they had at least indicated here that additional maintainers were needed or that they need funding to justify the time investment. Both of those things are possible, but require their involvement to move forward. I do think this is a very unwieldy project to just dive in and expect things to go smoothly. Getting access to the NPM distro is possible, but git would almost certainly need to be forked to do that |
|
I don't mean this in any negative way or to invalidate all the work put into Lerna, but I wonder if Lerna is deprecated/obsolete at this point. There's plenty of material on how to use Lerna with Yarn Workspaces together, but it's not clear what Lerna actually adds that you can't just do with Yarn Workspaces. Curious to hear thoughts and input on this. |
|
Wow, this is all kind of frightening to digest. I've been investing a lot into lerna and I hate to see it in this state. I wanted to share some things I noticed reading through discussions:
SuggestionsIf a couple small actions are taken, I think they could have a good impact on the maintenance of lerna. Note: I went ahead and created issues for these suggestions and will move these descriptions there too eventually but leaving here for easier digestion.
Side note: I really appreciate all lerna does. I've done a lot of work within my company to support lerna in our internal tooling. I'd be happy to be a maintainer. |
This is perhaps an esoteric case, but I recently refactored a set of repos to use lerna, and one of the benefits was that lerna doesn't complain about nested monorepos. Yarn 1 can't do it (and nobody's really working on yarn 1). Yarn 2 is supposed to, but I haven't gotten it to work properly in the way that matches the workflow I need where the nested repo can be pulled out into a completely different repo and still function, lockfiles and all, via git-subrepo. |
Hey @warent, your question isn't very relevant to this discussion. Yarn workspaces and lerna have both been around for a few years now and there's a lot of discussion around your question available online. My personal response to your question is that I would not use yarn. Npm workspaces is another topic but it's in development and still doesn't address the author's concerns. |
|
@goldhand Fair point, my comment was intended to refer to alternative solutions in general, using yarn workspaces as an example. I am interested in those discussions you're referring to if you could point me to any specific ones. I haven't had any luck finding any. That being said, it is relevant because it directly addresses the author's first question:
My response being: potentially deprecate the package, and encourage migration away from it. |
|
I see @warent, the first reason I mention is that I would strongly discourage using yarn for package management if I was reviewing a project design. There are a lot of reasons but this article from 2018 can explain most. Without getting into a debate over yarn vs npm, we can at least assume "use yarn instead" is not a viable option for many developers who, like me, want to use npm with our monorepos. Second, yarn does not replace all that lerna is doing as explained in this article about lerna + yarn. This venn diagram is helpful for clarifying: I also want to mention I really don't like to say a comment is not relevant and I def don't want to sound rude, I just really feel like this discussion should be focused on some of the other points and am very concerned about the state of lerna. I do agree that offering an alternative to lerna is an option. I recommend that as fall back, incase other options fail. In this comment, I recommend npm workspaces migration plan as the 3rd option after 1 and 2 fail. |
|
@MikeActually has there been any more movement on this since September? Has the situation changed or improved, or is there a plan in place? |
|
@rikoe I would love to know too. Such a great tool! |
|
@rikoe and @jsefiani - I don't have anything to share, while I was given permission to merge PRs, I would not be able to push updates to npm. My suggestion would be to explore the options that offer a semi related solution, and see if one of them fit your needs. If you absolutely need Lerna, forking it might be your best bet. The other option is to start moving the project forward, so, creating small PRs to help move the project forward. From what I can tell, PRs are not even passing automation checks, so doing research as to why the API response codes from npm changed, and what the best solution to address those failed test scenarios would be one thing to take on. I recall someone indicating that there are other obstacles in the automation. I don't think any PRs can really move forward until that happens. There is also a Slack that was created via #2715 . Candidly, it's tough to do anything with this project without a central longterm owner, and it seems like the historical owners have little interest in the project at this point. |
|
I will say that it looks like @evocateur made a number of commits in early november - he is the best person to speak to the status of the project - https://github.com/lerna/lerna/commits?author=evocateur&since=2020-11-01&until=2020-12-01 |
|
For a few reasons, this issue among them, we explored other options. We've migrated to Atlassian's Changesets (https://github.com/atlassian/changesets), which is an evolution of Atlassian's experiments with Lerna and semantic-release (https://github.com/atlassian/lerna-semantic-release). It is great, we now have a Dependabot-like publishing flow that's a lot more automated. Also, it doesn't regularly crash out due to git tag mismatches or attempting to publish things to npm that are already there. I can recommend it as a clean, hassle-free replacement for Lerna. |
|
I should write a proper resignation post, but burnout. I've been farting around in the anyway, just wanted to say i appreciate all the effort in this thread. i'm sorry i'm not better at it. |
Breaking Lerna apart (run, list, version, publish...). Maybe it would help with the maintenance cost? |
|
Hello @inca, here at KOJI we are heavily using Lerna for our monorepo management. We don't want to migrate on other available solution that sound heavy or too far from basic NPM usage. We are willing to take on the maintenance with our developers and the responsibility to merge Pull Request |
|
@icrotz and others who offer to maintain this project: You are free to fork and maintain this wherever and however you want. You don’t need any approval for that and it carries no risk for the current maintainers. Adding maintainers to a widely used project is not something to be taken lightly by existing maintainers. History has shown that such a thing is vulnerable to social engineering attacks. @icrotz Fork and publish as |
|
New fork has been created: https://github.com/KOJI-SAS/kerna |
|
Is there any alternative that can controll the version of monorepo? |
|
Lerna is dead... Long live Lerna!!! 😄 Thanks for Nrwl for taking the torch #3121 On a side note, I just released Lerna-Lite version 1.2.0 which brings support for yarn/pnpm Give it a try and happy coding 🎉 |
|
Hi Folks 👋 You may or may not know that lerna is now under the stewardship of Nrwl (announcement here #3121), a company with a long history of not just producing valuable open-source software (OSS), but also backing others (at the time of writing, Nrwl has donated over $50,000 to OSS it hasn't created, see https://opencollective.com/nx for full details). Quite simply, Nrwl ❤️ OSS, and is committed to making lerna the best it can be. We use it ourselves. We hope you will continue to be a part of this community as we look to take things forward from here! Please see #3140 for more details on our plans for 2022. |
and others
Historically speaking, Lerna has had issue with consistent maintainers, even though it is very widely used. (800K+ weekly downloads from NPM - https://www.npmjs.com/package/lerna)
What are the longterm options for this package?
Can ownership be more formalized and support be? For example, I see that Stackstorm (https://stackstorm.com/) depends on this library pretty extensively. Can they take on ownership of maintaining this?
Do additional owners need to be added to the NPM package?
What is the best way to handle contributions and support, if no owners can be found? How can contributions be encouraged?
What happens to the Twitter account and website?
The text was updated successfully, but these errors were encountered: