Closed hungrypipo closed 1 year ago
Thank you for filing this issue. We appreciate your feedback and will review the issue as soon as possible. Remember, however, that GitHub isn't a mechanism for receiving support under any agreement or SLA. If you require immediate assistance, contact Salesforce Customer Support.
Hello @hungrypipo :wave: It looks like you didn't include the full Salesforce CLI version information in your issue.
Please provide the output of version --verbose --json
for the CLI you're using (sf
or sfdx
).
A few more things to check:
rc
or nightly
versions. (docs)doctor
command to diagnose common issues.Thank you!
Hey @hungrypipo, I just want to make sure I understand the problem: Your company restricts you from downloading any npm
version that has not shipped [at one time] with node
?
Yes correct, we only get npm packaged with node releases that they approve and make available and all other artifacts from npm are also controlled via artifact infrastructure. We've hit this issue with sfdx-cli and now @salesforce/cli now that the plugin infrastructure pulls in npm as a dependency
Gotcha, thanks. I have a few ideas on how we could to resolve this, going to run it by the team. I'll get back to ya
Please and thank you, it would help a lot of people
@hungrypipo Could you please clarify something for me
with node releases that they approve
Do you have blanket approval on the LTS version of Node? Or do you have to get approval for specific semver versions of Node. For example: Today LTS is 18.17.0
. If tomorrow they released 18.17.1
as LTS could you use it? Or would 18.17.1
need to be approved before use?
We get an approved version not directly the LTS that node releases that day. So right now LTS is 18.17.0 we are on 18.16.1
Are you able to download the CLI tarballs? They have deps bundled and would not require an npm install.
No because we can't install from external sources. We use NPM because with the artifact management system we can request artifacts to be procured to it but it breaks now because of the NPM artifact being blocked.
Gotcha, I didn't figure. Well, this is a bit tricky since you do not have blanket approval on all versions on Node LTS. If you did, my thought was that we could create a Github Action (cron) to do the following on plugin-trust
and plugin-plugins
to ensure we always included an "approved" version of npm
:
npm
version includedyarn add
itgit status
is not clean)
However this would continually bump the npm
version, this happens all the time. Just search for upgrade npm to
here. There have been 34 npm
version bumps in Node 18 so far. We also cannot reasonably just pin those npm
versions. They would fall behind and we would have to check in with you every time we changed the version. Not to mention remembering all of this a year from now.
Could you please try a potential work around? Create a directory and add this package.json
and do an npm install
{
"name": "npm-test",
"version": "1.0.0",
"dependencies": {
"@salesforce/cli": "2.1.7"
},
"overrides": {
"npm": "9.5.1"
}
}
Testing this locally, running npm why npm
after an install shows that this is working
overridden npm@"9.5.1" (was "^9.7.2") from @oclif/plugin-plugins@3.1.6
overridden npm@"9.5.1" (was "^8.19.4") from @salesforce/plugin-trust@2.4.32
Oh nice will try and let you know! Thanks! Just to clarify, this package.json has to be in your local path? because the salesforce/cli is installed as global
You'll have to play around with that a little bit. You might be able to put that package.json
in your global npm
folder and run the install from there?
For me, that is /Users/username/.nvm/versions/node/v18.15.0/lib
since I use nvm
Otherwise, you would just need to make sure the installed node_nodules/.bin
directory was on your PATH
For example: export PATH=/Users/username/dev/npm-test/node_modules/.bin:$PATH
Afterward, run which -a sf
to show every sf
that exists on your PATH
Ok so if I do a local (not global) install of @salesforce/cli the override trick works
Also your fix you mentioned, trying to understand, I know we don't get blanket approval of all LTS versions but wouldn't your process create versions that aligned to LTS versions. Like if your GitHub action was in place there would be a version of the cli that aligns with each LTS version, we would just install the one we are on.
Which would be a huge improvement to what we have now
I guess what I'm asking, could you do the Github Action (cron) to make the LTS aligned versions? I understand there would be interim versions that had bumped npm versions that didn't align to LTS too but we would stay away from those. That way we have clean installable versions in our artifact repository without workarounds. The workaround is just that, and gets messy because we have to maintain version in that package.json and make it work in Jules too.
Cool, glad that the overrides (sorta) works.
Yea, that would be the idea. It would always be a version of npm
that had shipped with node
. One caveat though, we would likely run this cron on Tuesdays since we promote on Wednesdays. It is possible that, just by chance, multiple weeks in a row would include a version of npm
that your company has not yet approved.
I suppose worst case, if there was a CLI bug fix that you really needed you could do the override trick or ask your IT department to approve the node
that includes the npm
version
Yeah but you would build up a library of LTS versions so once we got to that LTS we could use the artifact. So I guess starting now you'd have LTS 18.17.0 since that's out and we'll be able to use it once we're at 18.17.0
Yep, understood, I think were saying the same things 😁 I'll get a ticket created and try to get to it soon, I'll be out most of next week. Have a great weekend @hungrypipo!
This issue has been linked to a new work item: W-13848117
Thank you for filing this feature request. We appreciate your feedback and will review the feature at our next grooming or sprint planning session. We prioritize feature requests with more upvotes and comments.
Curious how I can track this workitem/feature? Why was the feature tag removed?
@iowillhoit can you help me understand what the state of this issue is?
This issue has not received a response in 7 days. It will auto-close in 7 days unless a response is posted.
@iowillhoit can you help me understand what the state of this issue is?
Hey @hungrypipo, sorry I've been OOO a bit and we've had some priority changes. I am going to work on this today.
@hungrypipo The workflow is in place that will update the npm
version in plugin-trust
and plugin-plugins
every Tuesday morning. This will get included in Tuesday's nightly
build. nightly
is promoted to latest-rc
on Wednesdays. The following Wednesday, it will be promoted to latest
.
As we discussed, this will ensure that the included npm
version will always be one that has been bundled with Node LTS. I confirmed that the version installed is correct: node@18.17.1
currently includes npm@9.6.7
. See the screenshot from the Github runner below and the npm
version update in the Node changelog.
If by chance this npm
version is not approved, work with your IT or wait until next weeks update. Note: I just manually kicked off a new "nightly", you can install it now with npm install @salesforce/cli@nightly --global
@iowillhoit Thank you!
Just tested this nightly build 2.8.8 npm as expected! npm@9.6.7
Awesome! Glad it's working for ya 🎉
The latest @salesforce/cli (v 2.1.7 at this time) is not installable in our environment because two dependencies request non-standard npm versions(ones that do not come packaged with NodeJS versions)
@oclif/plugin-plugins@3.1.6 --- npm@9.8.0 @salesfoce/plugin-trust@2.4.32 --- npm@8.19.4
We have NodeJS 18.16.1 with npm 9.5.1, we are not allowed to pull npm as an artifact so the install fails
I also understand that the dependencies are managed by dependabot which automatically bumps the versions
Would it be possible to stop dependabot on the npm dependency for these 2 dependencies and make sure the npm version aligns with NodeJS packages?