shrinkwrap

[jonathanong]

thought about shrinkwrap and thought i could push this into 1.0.0, but it got more confusing as i thought about it.

• component shrinkwrap - create a component-shrinkwrap.json file, which only has .dependencies
• component shrinkwrap install - install the dependencies in the shrinkwrap
• component shrinkwrap outdated - check outdated dependencies in the shrinkwrap

use-cases:

• pinning dependencies of dependencies not mentioned in component.jsons.
• pinning semver ranged dependencies, so that the resolver doesn't need to resolve semver stuff (which is slow and requires github API requests)

does not:

• include any pinned dependencies in component.json
• support multiple versions of any component

workflow:

component shrinkwrap install
component install

install the shrinkwrap stuff first, then all the other stuff.

[pirxpilot]

I am not sure why one needs component install after component shrinkwrap install. Could you explain? I would think you'd use one or the other (depending on if you want to resolve and update your deps or just restore last shrinkwrapped state).

Also: why a separate component shrinkwrap outdated, component outdated should do that job.

Worth noting that shrinkwrap is for applications that use the component and not for the components. Components should always be as lax as possible with dependency declarations. Applications on the other hand need a specific subset.

Also one thing to clarify (I know many people get it, but I often see folks getting confused about it): Even if all components that application is using have proper semver declared dependencies there might be (and there usually is) a finite set of component versions that satisfy all dependencies. And with time that good subset changes (as new versions are released). Shrinkwrap gives you the freedom of using semver to specifying what's good enough while retaining the control on when exactly you are ready to upgrade to the next version. I would suggest using component pin very sparingly if at all. YMMV

[jonathanong]

basically, you only shrinkwrap everything that you yourself didn't pin. there's no need to shrinkwrap dependencies you've already pinned.

component outdated doesn't handle dependencies of dependencies. i don't think it should either. the way npm outdated works right now is super annoying because i can't update most of those nested dependencies, so it's just all noise.

we could have component shrinkwrap install also run component install. that's not a big deal.

[pirxpilot]

OK - I get the component shrinkwrap outdated now.

I still think things are way simpler if shrinkwrap does not make any distinctions between what's already pinned and what's not. But I might be missing something: ask again once I actually have a chance to write some code ;-)

[jonathanong]

the shrinkwrap won't support multiple dependencies, but the JSON will. unless you do a nested shrinkwrap like npm, but then i'm -1.

i see shrinkwrap as a helper for the component.jsons' dependencies. shouldn't need to replace them. what if you update a dependency but not the shrinkwrap?

but yeah, code first :D