search

nodejs / corepack

Zero-runtime-dependency package acting as bridge between Node projects and their package managers
MIT License
2.31k stars 146 forks source link

Validation should be configurable based on operation #406

Open GeoffreyBooth opened 4 months ago

GeoffreyBooth commented 4 months ago

It should be possible to define package manager constraints separately for certain operations, for example install/uninstall operations could get validation but run would allow any package manager. This would allow mixing and matching of package managers, for example pnpm to install packages but then Bun to run scripts.

Split off from #402.

aduh95 commented 4 months ago

Currently you can use an env variable to disable validation, but I think you’re asking about something else. Do you have a specific format for the configuration in mind?

arcanis commented 4 months ago

This would allow mixing and matching of package managers, for example pnpm to install packages but then Bun to run scripts.

Fwiw as a package manager author that's exactly why I'd prefer Corepack to not support this.

Mixing package managers together has been a relatively frequent source of issues, going from crashes (since the loader hooks aren't setup) to subtly incorrect behaviour (since the Yarn configuration and internal hooks are skipped).

If this feature was supported, we'd likely strongly advise our users against it - perhaps even making it a warning or error if we detected this pattern.

GeoffreyBooth commented 4 months ago

Most packages managers don't install loader hooks. Like npm for install and Bun for run should work perfectly well together I'd think. Maybe Yarn would advise against it and that's fine, but I don't think that's universal.

Most people seem to version pin to avoid corrupting lockfiles. That only matters for adding or removing dependencies. If those are the only operations those users need version pinning for, it would open up other use cases to allow validation to be enforced only for those operations.

darcyclarke commented 4 months ago

Mixing package managers together has been a relatively frequent source of issues, going from crashes (since the loader hooks aren't setup) to subtly incorrect behaviour (since the Yarn configuration and internal hooks are skipped).

If this feature was supported, we'd likely strongly advise our users against it - perhaps even making it a warning or error if we detected this pattern.

So you might say one of Corepack's goals is to ensure package managers do not work together?