This repository has been archived by the owner on Oct 9, 2023. It is now read-only.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Update recommendations for lockfiles #25
Update recommendations for lockfiles #25
Changes from 20 commits
c8a9d3b
f2e06a8
ed3eaf1
cc5c654
5d9d5fc
8b81f9c
2fd0659
ce3c62f
a19a020
9cca608
d014ad6
1db3592
46ec483
7908deb
e8253af
1ee1de4
6d8eb0e
238630e
5bb7a87
ecff088
575b376
0d5e822
893832d
044fc7f
425571e
a47c8be
7ce831f
42663ca
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not the best practice, similar to the shrinkwrap discussion, it depends on the type of project. So only applications should define a
package-lock.json
and commit it to their repos.If libraries are using lockfiles they can accidentally publish versions which were only tested with outdated dependencies, so end users might break when they do a fresh install. The goal for library authors should be to have a CI system which does a "fresh" install so that a new user that just runs
npm i your-lib
will atleast at the time of publishing get the same experience you did in your tests.For comparison, an application should use a lock file because for your users to "get the same experience as when authored" you need even rebuilds of the same source to produce consistent results. So the lockfile means a build from the same commit will get the same experience you intended at the time of publishing. And you as the author typically control the full experience, as there is no "client building" of the app code like there is with a lib.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you're right I botched the part on libraries. I was trying to say the following:
npm ci
andnpm install-ci-test
locally.npm install --no-package-lock
) and should be careful to run these tests in a non-privileged environment.npm ci
andnpm install-ci-test
, and should also pay attention to using the less-privileged principles for their CI runsI'm trying to reconcile the comments in #24 (lockfiles to mitigate malicious dependencies on dev machines) and the fact that it should not be used on libraries (or in projects that
end up in other projects' manifest / lockfiles
).An alternative to
1
above would be to tell contributors to define a lockfile locally (in combination with.gitignore
). However updates to this file would be manual and difficult to keep track of. Having it in the repository benefits from the commit history of the repo.Looking forward to your feedback / suggestion. Thanks again!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
friendly ping for feedback
@wesleytodd
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure where this captures the actual legitimate use of shrinkwrap files, which is when building and shipping standalone CLIs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the text above was just a diff from the PR's content. shrinkwrap was already discussed. Can you take a look at the section
If a project is a standalone CLI:
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Aaa yes I see it there now. Sorry, jumped too fast on this :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wesleytodd do you have further feedback? Are you OK with the latest changes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Really sorry for dropping off here, I totally missed the notification.
I think what landed in the "recommendations" section is technically correct, so glad to see it got sorted out. One thing I do feel here is that it is a quite complicated set of recommendations. I sent the link to a team member at work and they basically just said "I will just remove the package-lock". I think this will be a common response because the guide is technically correct at the cost of being very complicated.
Anyway, like you said below:
👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't disagree that we could make the recommendation simpler. Do you think we should include more examples, and possibly links to an example repository which contains lock files, a workflows example, etc?