Open balgillo opened 3 years ago
I am under the impression that npm-shrinkwrap.json
is NPM's version of yarn.lock
, isn't it?
If so, this is our best way to enforce the installation of particular dependencies and avoid all "works on my machine" issues See: https://classic.yarnpkg.com/blog/2016/11/24/lockfiles-for-all/
@ikkisoft I think it's good to have this file in your repository, but not to publish it with your library. Unlike yarn.lock
, npm-shrinkwrap.json
does affect your consumers, via package-lock.json
(see https://docs.npmjs.com/cli/v6/commands/npm-shrinkwrap#description)
We've been tracing an issue where npm
seems to sporadically rewrite our package-lock.json
. It seems to only happen to dependencies of Electronegativity. I suspect it's related to the use of shrinkwrap, since it isn't happening to any other libraries in our repo. Linking in case it turns out to be related: https://github.com/npm/cli/issues/3225
This has started causing a new problem for us as well, since npm-shrinkwrap.json
includes things like fsevents
v1.2.12, which causes install to fail on Windows. fsevents
is a dependency of chokidar
which is in shrinkwrap but not even used by electronegativity from what I can tell.
Unfortunately I think we are going to have to back out electronegativity from our testing pipeline until we can run it without pulling all these dependencies. Please consider dropping this file from the published package. 🙏🏼
@ikkisoft this bit from that Yarn blog post is the key:
When you install dependencies in your application or library, only your own yarn.lock file is respected.
As @balgillo mentions, this is different from NPM, which will respect the shrinkwrap file during install.
Hello and thanks for reporting this!
Electronegativity was designed to be a command-line tool for auditors, which only later was adapted to be optionally used as a library. The documentation on NPM you cited also states:
The recommended use-case for npm-shrinkwrap.json is applications deployed through the publishing process on the registry: for example, daemons and command-line tools intended as global installs or devDependencies.
I'm convinced that the majority of our users are using it as a standalone, global install, but I'm willing to remove the shrinkwrap file for the time being and check with you if you're still experiencing problems (see v1.9.1). I reserve the right to restore it in case of reproducibility issues related to dependency discrepancies.
Understood!
Have you considered separating out the library from the CLI and publishing them as separate artifacts? That might solve the problem of publishing npm-shrinkwrap.json
while letting people consume the library without conflicts.
I haven't used electronegativity. But isn't this a cli tool ? And according to their documentation, it should be installed globally.
That means, you could just leave it out your package.json Then it shouldn't impact the dependencies of your specific project at all.
Describe the bug This project publishes its
npm-shrinkwrap.json
. That's discouraged:The practical impact is that electronegativity's dev dependencies are ending up in our package-lock.json (marked as either
optional
orextraneous
, maybe depending on npm version). This is even though we are declaring electronegativity as adevDependency
so its dev dependencies should be ignored. That may be caused by an npm issue. But if electronegativity didn't publish itsnpm-shrinkwrap.json
, that bug wouldn't matter.There are three dev dependencies that are particularly problematic because they or their dependencies have security advisories against them:
To Reproduce Steps to reproduce the behavior:
npm init
in new directorypackage.json
add:npm install --include=dev
package-lock.json
for"base"
,"chokidar"
,"snapdragon-node"
to see optional or extraneous dependencies.Expected behavior Expect there to be no
npm-shrinkwrap.json
published withelectronegativity
, so itspackage.json
is used to declare its dependencies. Only the runtime dependencies of electronegativity (and their trees of runtime dependencies) should end up in ourpackage-lock.json
.Platform (please complete the following information):