search

codeoverflow-org / nodecg-io

A NodeCG-bundle which implements Social Media API's in the NodeCG framework
https://nodecg.io
MIT License
108 stars 26 forks source link

Ditch lerna & add auto-updating for npm with dependabot #263

Closed J0B10 closed 2 years ago

J0B10 commented 3 years ago

Description

Lerna is currently used for managing the multiple packages.

Especially Hoisting helps us to store common dependencies only once in the node_modules folder. Without that feature the full installation of nodecg-io could become >5GB in file size and have 70 or so instances of TypeScript.
Unfortunately hoisting is currently not supported by dependabot wich would break the package-lock.json on every update.

Also lerna is no longer maintained at the moment so it would be beneficial to ditch it in favour of npm workspaces.

Npm workspaces would have the benefit of working well together with dependabot (which should be used for automatic updates of dependencies) but we would have to find a way to execute the build script of all packets in parallel and in the right order.

References

Dependabot for github actions: https://github.com/codeoverflow-org/nodecg-io/pull/262

derNiklaas commented 3 years ago

Whats in the impact on storage / install time? 👀

hlxid commented 3 years ago

What exactly do you mean with that? npm workspaces puts all dependencies into a node_modules like lerna's hoist mode so install size will be roughly the same. I haven't measure how long lerna vs npm workspaces need for installation but its roughly the same.

I haven't tested whether dependabot supports npm workspaces but I assume because it is a offical npm feature and very similar to Yarn workspaces which are supported by dependabot.

Another open point is how we want to build our TypeScript code. Currently we use lerna run which builds everything in the correct order and parallelizes builds when possible. npm has npm run build --workspaces but it only executes the build script in one module at a time and has no parallelisation. The TypeScript compiler has its own ways to build multiple modules but I haven't looked into that yet and from what I remember it requires that the path of each project is specified and doesn't allow for wildcards which is kinda limiting.

Switching to Yarn would also a possibility but I don't know whether the newest version is fully supported by dependabot. Most developers have already worked with npm and know how it roughly works so I think it would be good if they can re-use their experience instead of learning a new tool but of course Yarn also has its advantages.

hlxid commented 2 years ago

Reopening this because we still need to enable dependabot. Let's hope that it works with npm workspaces as I haven't tested it, as said. I would have done the move away from lerna to npm workspace anyway because it is unmaintained and rather complicated for newcomers. Dependabot was just another reason to do it, so it's fine if it doesn't support it.