feat: Use npm v7 #304
feat: Use npm v7 #304
Conversation
|
Not sure why the integration tests fail with 403 errors. |
|
Thanks a lot Daniel, I really want us to upgrade to |
|
Possible a bit off-topic but I am a bit curious as to why it has to be a dependency at all, is not not possible to use system npm? |
the problem is compatibility. WE don't know what system npm version you have and making sure that the code is compatible with all current and future version is a maintenance nightmare |
But it is also a bit nightmare-ish for users? It pulls many extra dependencies (some with security vulnerabilities) and it also causes incompatibilities in run scripts, e.g. system with npm 7 uses npm 6 (or vice versa after this PR) when using But I get your point, I was mostly curious about the reasoning. |
|
Expect this issue to have more activity in the coming days, we received this notification two hours ago from dependabot. edit: Link to GHSA: GHSA-vx3p-948g-6vhq /
|
|
@gr2m I figured out why the integration tests fail, It is only because npm v7 does not set the maintainers field anymore on publish, but npm-registry-couchapp requires it to be set. To fix this I switched to the proper npm registry verdaccio instead of the docker image from here. Now all the test seems to work :) |
|
|
||
| // Verify the logger has been called with the version updated | ||
| t.deepEqual(t.context.log.args[0], ['Write version %s to package.json in %s', '1.0.0', cwd]); | ||
| }); |
There was a problem hiding this comment.
Because it was testing npm internal stuff. Npm v7 does not format package.json files anymore, so this test failed because no newlines were present in the expected package.json.
I could have "fixed" the test and adjusted the expected output, but the test before this one (Preserve indentation and newline) does exactly the same thing then and the testname would have not really described anymore what it is testing. So I decided to remove it.
|
🎉 This PR is included in version 7.1.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
|
This won't result in projects still using the old format publishing with the new This may not technically be breaking, but it is causing issues for some of our tooling that was calling npm and expecting the v6 output. |
|
Is the |
|
Hey @danez. 👋 Hope you are doing well. We've updated semantic-release/npm from 7.0.10 to 7.1.0 and since then our release flow isn't able to pubish packages anymore to our private repository due to an authentification error. The release is performed inside a Github action providing an - name: Release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npm run release -- --debugThe error we're receiving is Reverting the dependency update made our releases to finish successfully again. Do you have any advice where to look for a fix? |
|
hey @weaintplastic, That is odd as this error only appears if no credentials are found for the registry. https://github.com/npm/cli/blob/latest/lib/publish.js#L99-L109 what is the npm version that is now installed in your project? |
|
@danez we are using node 15 and npm 7. we have a |
which required swapping the registry from the integration tests to verdaccio, similar to the change in semantic-release/npm#304 for #2055
I updated npm from v6 to v7. Reading the blogposts there shouldn't be any breaking changes, at least not in the functionality that semantic-release uses.
One test failed, but it was testing npm internal stuff about formating of package.json, so I removed it. (npm v7 does seem to preserve whatever formatting is in the file and just replace the version.) Hope that is okay?