search

hpi-sam / digital-fuesim-manv

A German simulation system for training emergency medical services leadership personnel on how to manage Mass Casualty Incidents.
https://fuesim-manv.de/
GNU Affero General Public License v3.0
16 stars 8 forks source link

script to update packages (package-lock.json) #667

Open anonym-HPI opened 1 year ago

anonym-HPI commented 1 year ago

A script to update packages to (at least) there newest minor version, could be useful. Keeping packages up to date, is probably something we should do regularly or is there something in place already?

I know that we have a watcher for CVEs in dependencies, but this wouldn't for example alert when a bug gets fixed in a minor version or so.

I would propose of something like: npm run update:packages:all (for updating them in root, frontend, shared and backend). Name came from this https://jh3y.medium.com/how-to-update-all-npm-packages-in-your-project-at-once-17a8981860ea

The script should also change the package-lock.json files, to commit them.

@Dassderdie @ClFeSc what do you think?

Dassderdie commented 1 year ago

One could install something like npm-check-updates globally and run e.g. ncu -u -deep from the root.

anonym-HPI commented 1 year ago

Was seeing this, not sure if it could break things, as it seems to upgrade to latest major version, not minor version (see https://chektek.com/code/update-all-node-packages-to-latest/ the Warning part).

Dassderdie commented 1 year ago

Was seeing this, not sure if it could break things, as it seems to upgrade to latest major version, not minor version (see https://chektek.com/code/update-all-node-packages-to-latest/ the Warning part).

You should always look at the changelogs of a package and what exactly was updated before upgrading it. Therefore you would catch any unwanted major versions. Also, not every package follows semver (e.g. typescript). ncu also offers an --interactive flag.

ClFeSc commented 1 year ago

I agree with @Dassderdie on this. I don't think we should provide a way of updating packages when there already exist solutions like ncu.

anonym-HPI commented 1 year ago

As long as someone regurarly updates packages, we shouldn't need it. Using npm run setup should be used to update local packages, when someone else updates the packages in the repo or what would be the way? Maybe we could document this or is this even needed for development (probably at some point, when packages are too out of date)?

Dassderdie commented 1 year ago

As long as someone regurarly updates packages, we shouldn't need it. Using npm run setup should be used to update local packages, when someone else updates the packages in the repo or what would be the way? Maybe we could document this or is this even needed for development (probably at some point, when packages are too out of date)?

npm run setup makes sure that the locally installed packages are in sync with the package.json and sometimes updates the package-lock.json if there are newer versions present (search for npm install to get more detailed information).

I don't think general stuff about updating packages should be documented in this repository, as this is nothing specific to us, but instead applies to all current web development/the npm ecosystem.