Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove dev-dependency on npm-check-updates. #959

Merged
merged 2 commits into from
Apr 17, 2018

Conversation

abernix
Copy link
Member

@abernix abernix commented Apr 11, 2018

It appears that the intention of including npm-check-updates in this repository was to provide an easy way to update dependent packages from the console. This was originally introduced in Ref 0.

Unfortunately, the npm-check-updates package has an explicit dependency on npm@3, which means that it includes the entire npm in its node_modules.

I originally observed this when analyzing the test failures in Ref 1 and Ref 2 which indicated (in its npm error) that the npm version was v3.10.10.

The explanation for this is relatively straight-forward: Older versions of npm uses an nested tree of node_modules directories while newer versions hoist node_modules (i.e. flatten) to the highest location possible and only nesting dependencies to meet conflicting version constraints.

Unfortunately, that means that once npm@3 was installed by the newer npm@5 as a dependency of npm-check-updates, it was hoisted to the top-level node_modules directory, exposing npm@3 to npm-scripts which directly call npm commands on the nested packages, as is done on this monorepo (with, for example the postinstall script which runs npm run compile in each of the server middleware packages). :face_palm:

Overall, this package doesn't seem to provide enough value for us to continue to include it, especially since we have Renovate - coupled with the same information being available from npm outdated and npm update commands. I'm not sure why we would want to install newer versions than our "package.json" allows.

Futhermore, looking at the issue tracker on npm-check-updates, I'm assuming this is the reason I've seen "dezalgo" install errors (Ref 3) on this repository recently and possibly even a bizarrely corrupted npm cache I encountered recently (though admittedly, that could be a stretch).

See also: Ref 4.

abernix added 2 commits April 11, 2018 12:48
It appears that the intention of including `npm-check-updates` in this
repository was to provide an easy way to update dependent packages from the
console.  This was originally introduced in [Ref 0].

Unfortunately, the `npm-check-updates` package has an explicit dependency on
`npm@3`, which means that it includes the entire `npm` in its
`node_modules`.

I originally observed this when analyzing the test failures in [Ref 1] and
[Ref 2] which indicated (in its npm error) that the npm version was v3.10.10.

The explanation for this is relatively straight-forward: Older versions of
npm uses an nested tree of `node_modules` directories while newer versions
hoist `node_modules` (i.e. flatten) to the highest location possible and
only nesting dependencies to meet conflicting version constraints.

Unfortunately, that means that once `npm@3` was installed by the newer
`npm@5` as a dependency of `npm-check-updates`, it was hoisted to the
top-level `node_modules` directory, exposing `npm@3` to `npm-scripts` which
directly call `npm` commands on the nested packages, as is done on this
monorepo (with, for example the `postinstall` script which runs `npm run
compile` in each of the server middleware packages). :face_palm:

Overall, this package doesn't seem to provide enough value for us to
continue to include it, especially since we have Renovate - coupled with the
same information being available from `npm outdated` and `npm update`
commands.  I'm not sure why we would want to install newer versions than our
"package.json" allows.

Futhermore, looking at the issue tracker on `npm-check-updates`, I'm
assuming this is the reason I've seen "`dezalgo`" install errors [Ref 3] on
this repository recently and _possibly_ even a bizarrely corrupted npm cache
I encountered recently (though admittedly, that could be a stretch).

See also: [Ref 4].

[Ref 0]: d7ca07f7
[Ref 1]: https://circleci.com/gh/apollographql/apollo-server/1915
[Ref 2]: https://app.netlify.com/sites/apollo-server-docs/deploys/5acdd3b7
[Ref 3]: raineorshine/npm-check-updates#420
[Ref 4]: raineorshine/npm-check-updates#423
@abernix abernix merged commit 0c6b1bd into master Apr 17, 2018
@abernix abernix deleted the abernix/remove-npm-check-updates branch April 17, 2018 19:59
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant