Change to npm rather than yarn

ONSdigital / sdc-global-design-patterns

The SDC Global Design Pattern library. Used as the basis for SDC projects. Outputs to CDN for use in production and development projects, documentation publishes to netlify.

https://sdc-global-design-patterns.netlify.com/

11 stars 2 forks source link

Change to npm rather than yarn #202

Closed bameyrick closed 5 years ago

bameyrick commented 6 years ago

What is the context of this PR?

Having discussed with @boxadesign I've converted the project to use npm package-lock.json rather than yarn, as this allows us to use tools such as npm audit.

I've also:

removed unused dependencies
upgraded any packages with vulnerabilities higher than low
added upgrade-interactive script

saedwards commented 6 years ago

Why don't we use https://yarnpkg.com/lang/en/docs/cli/audit/?

bameyrick commented 6 years ago

@saedwards I didn't realise they had released yarn audit yet... Now that they've released it it makes converting to npm less compelling as the only other benefits are npm version changing with nvm and npx, although we could still use npx with yarn.

I'm happy to revoke this PR and removal of unused dependencies / upgrading of packages with vulnerabilities with yarn if everyone thinks this is the best option?

armstrongb commented 5 years ago

Might be less conflict around to stay yarn? Could be worth having a discussion around merits of either?

bameyrick commented 5 years ago

I would say it would be less conflicts definitely. The reason for switching back was the lack of an audit feature in yarn but now that it has it there's not much of a reason to change.

Personally I prefer yarn just because I'm too lazy to type run ¯_(ツ)_/¯

Currently pros and cons I'm aware of are:

Yarn

Pros

Nicer CLI
Workspaces
Offline install (if all packages are cached)
upgrade-interactive

Cons

Only uses SHA1 integrity not SHA256

npm

Pros

Faster install (depends though, for some repos yarn is faster)
Automatic vulnerability reporting on install

Cons

Noisy CLI
Have to type run

boxadesign commented 5 years ago

@bameyrick If we are going to stick with yarn can we stop the package-lock.json file being generated or causing the warning on this branch so we can merge it in?

bameyrick commented 5 years ago

@bameyrick If we are going to stick with yarn can we stop the package-lock.json file being generated or causing the warning on this branch so we can merge it in?

I can use yarn import to generate a yarn.lock file from the package-lock.json and then delete the package-lock.json, and then obviously change all the docs back to yarn commands.

Once conflicts are resolved this could be merged in then.

bameyrick commented 5 years ago

I've put everything back to using yarn now, but kept the vulnerability fixes, package.json sort so this would be ok to merge if everyone is happy