Closed Conduitry closed 7 years ago
PaulBGD
commented
7 years ago Yarn would work, until yarn upgrade is ran the dependency versions will be the exact ones specified in the lock file. Also the svelte-benchmark tool already requires yarn, so it's not exactly a new dependency for svelte development.
Conduitry
commented
7 years ago Re: running rm -rf node_modules && npm install during prepublish - it sounds like this won't work under npm v4. As of version 4, prepublish still runs as part of npm install. One of the planned changes for npm 5 is to only run prepublish during publish, which makes a lot more sense. I'm not sure what the timeline is on npm 5, but this does sound like a nice way to do that, once that change is available.
I don't believe this npm 5 requirement will affect users of Svelte. The prepublish scripts wouldn't be run for anyone doing npm install on a project that depends on Svelte, just for people running npm install on Svelte itself. That makes this a bit more tenable, as long as there's some sort of notice in the readme about this requirement for people who want to hack at the library.
PaulBGD
commented
7 years ago So if we all use Yarn then builds should be completely reproducible. Either that or we can enforce NPM 5 and their new lockfile. Thoughts?
Rich-Harris
commented
7 years ago Tempted to say Yarn, because whenever I'm in an npm5 project I really miss pa[tab] autocompleting to package.json on the command line. Also, easier lockfile merge conflict resolution, I believe.
Conduitry
commented
7 years ago I've really tried to like npm 5's package-lock.json, but it just doesn't feel ready for prime time yet :(
PaulBGD
commented
7 years ago Enforcing maintainers to use yarn isn't a huge deal, plus in the future if we feel that switch back to NPM would be better we can always do that easily.
Rich-Harris
commented
7 years ago Great — will delete package-lock.json from the repo and add it to .gitignore
This is following up from something I mentioned on Gitter the other day, wanted to make sure it wasn't lost.
Currently, the released version bundles in whichever versions of dependencies were in Rich's
node_moduleswhen he built the release. If someone going to build the release themselves, they could well end up with different versions. And there is no good way for people downloading a particular version of Svelte from npm to know what versions of the various dependencies are actually bundled in to the release. I have two suggestions surrounding this:As a minimum, make running
npm updateor evenrm -rf node_modules && npm installpart of the release process. This ensures that the released version will have the same things bundled into it as someone else would get if they cloned the project at that moment. If updating npm dependencies causes any unit tests to break, they should be addressed before the release is made - otherwise it's a build that can't be reproduced anywhere else.As a nice addition, include some sort of manifest file in the code sent to npm that says what versions of the various dependencies are included in this particular bundle. This might include just top-level dependencies, or maybe it would include all dependencies, not sure. Maybe we could use Yarn and include its lockfile in the releases sent to npm? I haven't really used Yarn much at all and don't have many opinions about it.