RC npm: "Shrinkwrap.json" does not exist, and is hostile in a published package #10
Comments
|
@ljharb what's your take on using a shrinkwrap file for CLI apps and "deliverables" like that? |
|
@lirantal i think that it's at least defensible for a CLI app to do it, but I still don't think the benefits outweigh the downsides, especially for security updates. I'm not aware of any major CLI app that does so. |
|
Yes I can't think of any major CLIs that follow this either, actually. I seem to recall Express/Doug was doing that in the past for all of their packages but I think that changed. For me at least, I can say that I value being able to ship and account for reproducing issues with 100% confidence that what I tested is exactly what is running on end-users machine. Unlike SaaS or the web, those CLI apps can be bundled into other package managers like |
|
@ljharb can you explain more about the problems with security updates? With shrinkwrap, The CLI maintainer takes responsibility for the updates. If the CLI consumer has an app like dependabot installed and the CLI maintainer commits to keeping the dependencies up-to-date, the consumer will receive the security updates on each new CLI release. Is that correct? |
Its safe to say the best practice from the community perspective is only lock files and all mention of shrinkwraps is generally scrubbed from the public consciousness. It was used most prominently by Eran Hammers team at walmart labs https://www.npmjs.com/package/hapi
This ecosystem of packages stopped releasing |
|
@laurentsimon the entire npm ecosystem is designed such that the maintainer does NOT have the sole responsibility for updates - that the end consumer has that control (just like on the web). It's intensely hostile to users to prevent them from doing security updates themselves. |
|
@soldair can you elaborate on your 1st bullet on why would it be unpredictable? the whole point of the shrinkwrap file is to lock the entire dependency tree for down-stream consumers. On the whole concept of shrinkwraps - we can make parallels to the Java / Maven ecosystem where the pom.xml file specifies explicit versions of JARs (read: libraries). Then the maintainers of said JARs decide which other nested JARs to bundle inside them. This is effectively the same result, and I don't think developers in the Java community see this as a maintenance burden or deeply flawed issue. Would love to hear your insights on this. EDIT: I'm interested in exploring the cases of shrinkwrap file usage patterns from the point of view of "shipped packages" such as stand-alone CLIs, or for example Electron-based desktop apps, where the usage behavior is significantly different than using them in the form of consumable libraries, or application projects. |
|
I meant that it makes the npm installing algorithm depend on the contents of the tarball rather than exclusively the packument to produce an ideal tree. Shrinkwrap support was a major reason yarn was faster than npm when it gained popularity originally. Your use case does seem fine. if your cli auto updates and you ship a new version for every vulnerability you could effectively keep your clis on "safe" deps. |
|
Ahh. What you call "ideal tree" I interpret as "install-time resolution of dependency versions", aka "non-deterministic versions" :-) Thanks for sharing your perspective, appreciate that. |
|
@soldair what do you mean by |
|
I'll attempt to do justice with Ryan's take for them:
|
|
Thanks , that makes sense. Thanks everyone for the useful insights. So the consensus is that shrinkwraps are acceptable for standalone CLI with the caveats highlighted in the discussion, but not for application projects or libraries. So we should make this clearer in the document - in particular, the doc does not currently differentiate between CLI and application projects. Is this a fair reading of the discussion? @ljharb what did you mean by |
|
answering my own question: dev lockfiles are those used by the maintainers (e.g., package-lock.json), but not by the consumers |
|
Loving this discussion ❤️ Very insightful. As someone who was until recently the lead maintainer of Netlify CLI, would like to add my vote 👍 for shrinkwrap (or any other locking mechanism) for CLIs. We had numerous cases where a package we use broke SemVer and basically rendered the CLI useless (and often didn't even allow installation). Meaning our CLI would break without us changing anything on our end. For security issues/updates - 💯 to @lirantal that most of them are irrelevant for CLIs (e.g. regex denial of service issues). Also, for dependencies updates, personally I'd rather use Renovate to manage those, since I can verify tests are passing after the update (we often caught breaking changes in patch/minor updates this way). We had Renovate set to auto merge for patch and minor versions, so assuming tests don't fail (and in that case we wanted to know about it), the maintenance toll is low. We also recommend users to install the CLI as a local dev dependency and use a lock file in a CI environment. |
|
I think there is a missing nuance in this discussion: Some CLI's are "applications" per @ljharb and @lirantal's definition above and some are not. What determines the split is how you call into it. If you FWIW, most cli tools published to the registry are not applications and so that is why I also usually recommend not publishing using lock files. For example, An example of a true "application" cli: We have a series of complicated build/deployment script we publish as packages. Those are called in custom built docker containers as entry scripts and are never installed into other libs or applications. To ensure reliable and reproducible builds we use a shrinkwrap, but that is an implementation detail which we could have achieved in other ways avoiding publishing.
So I think this is getting close, but not quite where I would draw the line.
The express approach was specifically to deal with problems of the time, but it used non-range specifiers in package.json, not shirnkwraps. I do not recommend anyone else do what Express does. The key thing being that for "internal" deps (ones owned by the express project but published independently) it did not lock them. It is entirely a trust problem and driven by express' unique place in the ecosystem. |
I feel that this is very subjective but I agree :-) |
|
Maybe there is a way to make the line more clear. I agree it is so fuzzy that I have tried to explain it multiple times and still I am not sure it is clear to people. Is it more clear to say:
|
|
A few things I am missing: @erezrokah said:
Do you mean using the manifest's If it's via My understanding is that it should depend on whether the manifest declares the CLI dependency (for If the above is correct: how can the maintainer of a project control how their consumers install it? Is that why @wesleytodd said related question: Are |
|
If a project isn't meant to be installed, it has Published CLI tools are not deployed applications, and thus pretty much never include lockfiles. dev deps and prod deps are resolved the same, but can be filtered against separately. |
This is almost always true. The exception would be if a tool explicitly documents that it should never be installed in a project, which does not block users from doing it but also 🤷 what more can an author do. So an example would be if you used npm to host and resolve semver-ness, but didn't intend for the code to be installed in a project. To be very clear, I have not seen this in practice in the OSS ecosystem, but have seen it in practice at multiple companies who publish internal JS libs. So all in all I am comfortable if the "best practice" document really just says "if it is published it shouldn't use a lock", but as with many "best practices", the exception make the the rule. I think the way it is laid out in the new PR is good and accurate, so IMO it is good as is but if you wanted to simplify so novice end users are not confused about the distinction I would also be alright with that. |
Yes I mean as a dev dependency by running See https://docs.netlify.com/cli/get-started/#installation-in-a-ci-environment: The problem I want to solve as a CLI author (reasons described in #10 (comment)) is that every time a user runs Otherwise, the following can happen (and has happened multiple times):
|
|
👆exactly |
|
@erezrokah Are we talking past each other or are we at an impasse? What I read from your comment, but is not directly said, is that you want to ship The way I read the linked issue (EDIT: I am well aware of this incident and it's impact, just realized what I wrote did not reflect my familiarity so wanted to clarify this was not just in response to reading your link) is that the tool needs to publish a version with a pin back, and existing apps need to keep their lock files. The alternative is apps never updating (even if they want to and there are security updates) because they will be locked to your response as a package author. The goal is not to make the problem worse with a solution for a subset of the use cases. Additionally the end user should always come before the package maintainer in this. So taking the control away from the end user is bad unless the control was always in the wrong place and you also offer a way to "opt out" as the user. In this case there is neither a way to opt out (maybe overrides can, but that is unclear to me now) and also it is very clear maintainers do not do a better job of this than app owners in most cases. |
|
Thanks @wesleytodd for adding more context. I think I get your point now, please let me know if this makes sense:
Is this point valid to prod dependencies too? Also in some cases it's not clear if a package should be a dev or a prod dependency (especially when the output is bundled). See facebook/create-react-app#10219 and https://stackoverflow.com/questions/44868453/create-react-app-install-devdepencies-in-dependencies-section/44872787#44872787.
OK so I think I understand the tradeoff:
💯 Completely agree on putting the users first. If there was a way to allow packages to be consumed in a predictable way and still let users update dependencies that would be best. I've just stumbled upon https://research.swtch.com/vgo-intro#minimal_version_selection which is an interesting approach, that I don't completely understand yet, and planning to give it a deeper read. |
|
Closing this as resolved with #25. Please take a look and if anyone has a concern we'll re-open and continue the discussion |
Perhaps you're thinking of
npm-shrinkwrap.json.A shrinkwrap file is very user-hostile to include in a published package, because it actively prevents deduping, and blocks consumers from updating through security vulnerabilities and bugfixes - it actively worsens security.
Only apps should have lockfiles (dev-only lockfiles like package-lock.json are a bit more nuanced, but are safe wrt this concern), and we should be very clear about that so nobody inadvertently thinks it's less than a terrible idea to ship a shrinkwrap file.
The text was updated successfully, but these errors were encountered: