Closed Conduitry closed 7 years ago
Yarn would work, until yarn upgrade
is ran the dependency versions will be the exact ones specified in the lock file. Also the svelte-benchmark tool already requires yarn, so it's not exactly a new dependency for svelte development.
Re: running rm -rf node_modules && npm install
during prepublish
- it sounds like this won't work under npm v4. As of version 4, prepublish
still runs as part of npm install
. One of the planned changes for npm 5 is to only run prepublish
during publish
, which makes a lot more sense. I'm not sure what the timeline is on npm 5, but this does sound like a nice way to do that, once that change is available.
I don't believe this npm 5 requirement will affect users of Svelte. The prepublish
scripts wouldn't be run for anyone doing npm install
on a project that depends on Svelte, just for people running npm install
on Svelte itself. That makes this a bit more tenable, as long as there's some sort of notice in the readme about this requirement for people who want to hack at the library.
So if we all use Yarn then builds should be completely reproducible. Either that or we can enforce NPM 5 and their new lockfile. Thoughts?
Tempted to say Yarn, because whenever I'm in an npm5 project I really miss pa[tab]
autocompleting to package.json
on the command line. Also, easier lockfile merge conflict resolution, I believe.
I've really tried to like npm 5's package-lock.json, but it just doesn't feel ready for prime time yet :(
Enforcing maintainers to use yarn isn't a huge deal, plus in the future if we feel that switch back to NPM would be better we can always do that easily.
Great — will delete package-lock.json from the repo and add it to .gitignore
This is following up from something I mentioned on Gitter the other day, wanted to make sure it wasn't lost.
Currently, the released version bundles in whichever versions of dependencies were in Rich's
node_modules
when he built the release. If someone going to build the release themselves, they could well end up with different versions. And there is no good way for people downloading a particular version of Svelte from npm to know what versions of the various dependencies are actually bundled in to the release. I have two suggestions surrounding this:As a minimum, make running
npm update
or evenrm -rf node_modules && npm install
part of the release process. This ensures that the released version will have the same things bundled into it as someone else would get if they cloned the project at that moment. If updating npm dependencies causes any unit tests to break, they should be addressed before the release is made - otherwise it's a build that can't be reproduced anywhere else.As a nice addition, include some sort of manifest file in the code sent to npm that says what versions of the various dependencies are included in this particular bundle. This might include just top-level dependencies, or maybe it would include all dependencies, not sure. Maybe we could use Yarn and include its lockfile in the releases sent to npm? I haven't really used Yarn much at all and don't have many opinions about it.