Split project.lock.json into *.lock.json and *.cache.json #2332
Comments
|
Note: We need to be extremely careful what we do here now that NuGet 3 and MSBuild for UWP apps are using |
|
We spoke about this today and are going to make a split. The current The guidance will be that There is still an open question about putting the current |
|
So is this a way to open up for other tools like paket? |
|
I don't want to turn this bug into a discussion about packet but the |
|
I'm over the moon that the split will happen. Whats the reason for not always generating the file? I see no reason not to always generate the file and losing |
|
Because the behavior of nuget and dnu isn't changing with respect to how dependent versions are resolved. There is really no reason to lock the project in most cases and it breaks version ranges. Meaning you have to keep running commands that constant update the lock file. I agree that it is a valid workflow and there should be a way to work like that but it's not the default required flow. There are still concerns about the |
This has absolutely nothing to do with how versions are resolved and that won't need changing either. When I run The fact that the project file has dependency version ranges will mean that a
I'm still happy that I can now choose to atleast |
|
Wouldn't it be a time-saver if you replaced this with two things?
An up-side of doing it this way is that @forki would single-handedly carry half of vnext on his back with bugfixes in 7 minutes. ;) |
|
@haf as much as I love Paket and hope to see it being integrated with DNX in the future, your comment sets the wrong tone for the active discussion in my opinion. This ticket is to discus the merits of locking by default using
A |
That's inaccurate. |
Because there are certain workflows that make cause friction, like the ones we use. I guess the problem is that we don't preserve our nightly builds forever, they get deleted from myget and having versions checked into source control that update every ci build would be very chatty. We have > 50 repositories that consume builds from each other where the version number is bumped on every build. That would be super noisy. Now on projects where you aren't building all of your own dependencies then it makes more sense. |
|
All it takes for you is to update your CI build to do a dnu update explicitly before building, to make sure whatever is currently committed still works with latest everything. The fact your versions are not stored forever is irrelevant even then in the case of nightlies. For the same reason these versions are probably not tagged there is no need to recommit the changed lock files. |
eek, and flood source control with commits that say, updating versions? I'd rather not 😄
Sure it is. You made a huge point about repeatable builds. Which lock files would we commit? |
|
what commits? I do releases on every commit on myget using paket and they don't trigger commits just as they don't get tagged. |
|
Who commits the updated lock file so to source control? |
|
Why would you need to do that? If the CI explicitly updates to latest? |
|
Is there ever a lock file in source control? |
|
In my hypothetical situation yes you commit one. When you check it out and run dnu restore it will use that *repeatable builds AWESOME. When you run on CI you call If you want CI to only build known states (also VERY common) it can just do |
|
I'm completely with @Mpdreamz on this one; the lock file should be generated by default just like it is with
You should really peruse the discussion we had in paket because it's really oriented towards building for production on .net. |
|
Developer is working on one of our repos and new versions of packages are on the feed, they update the lock file? CI builds needs to build against the latest of everything. Run Who updates source control after the ci passes and produces new packages against the latest dependencies? |
If they update the version in
Who said this is even necessary? these nightly/daily/continuous CI builds do they get git tagged? If its not tag worthy its not commit worthy. In situations where you are cutting real tag worthy releases, commiting the nuget.lock.json is a good thing. If you are doing true continuous deployments to production, never ever would you NOT want to checkin your |
Totally agree!
We're talking about publishing libraries to myget.org (ci) or nuget.org (production). I appreciate that there are other scenarios (like publishing apps to production) but in this scenario I would never check in the lock file until there's a release, like 1.0.0-beta7 for example, which I think is what we do already today. |
|
Should have been more exact on that last comment when I meant true continuous deployments I mean deploy chains that just deploy directly to production (machines, not production nuget feed) after each successful builds on ci (or you know yolo deploy :)). In more staged environments or longer deploy chains (using e.g octopus deploy) you generally still cut releases that have to be pushed to a production nuget feed and then make there way across machines. My point being that there are many ways to setup up integration and production feed publishes combined with many ways to combine those feeds to publish to staged application environments. I can pretty confidently say that the one thing they all have in common is that repeatable builds is of utmost importance. The flows where this is not, such as bleeding edge builds are the exception but our tooling is treating it as the norm.
I think here lies our crux, I'm arguing the lock.json file is always a good thing why do you feel its only useful on releases? Is it not useful on branches, or commits from 2 years ago on master? |
|
I very strongly agree with @Mpdreamz on this one, for all the reason he mentioned. Running |
|
Moving to the RC |
|
Conclusions from the last meeting we had on this:
Once the above changes are made then this new
It shouldn't be required to check the file in and the biggest source of confusion around this will hopefully be resolved. What we don't have is a file that is designed to provide repeatable builds of a given commit, branch, etc at any point in time (assuming the packages are able to be downloaded still). As we examined this it become obvious that there are many workflows that people use and the more opinionated we are in the runtime the less likely we are going to be able to support them. We will create a new issue and look at some workflows and how you would achieve something similar to the lock file without actually baking the concept of a lockfile into the runtime. One of our examples was a global command that could pin a project.json (replace * with resolved package version) and unpin (put the project.json back the way it was). We will look at some of these in the context of some workflows and see how they fit. See what sort of composition model or extension points are required in the runtime to make some of the things we have talked about here possible without the |
|
What command do I run to update all the dependencies to the latest? I was looking for something like
|
|
Yea, we need one of those |
|
So it is just a manual process? I'll start with replacing |
|
We don't have anything right now. Though if you run outdated on the BCL packages as they are authored right now you can end up with a version that is too new that drops compatibility for platforms you may care about. |
|
While I am glad the pseudo lock concept is gone, i still feel this statement is going to hurt us in the long run:
This thing needs to be designed for repeatable builds from the get go, repeatable builds are of paramount importance. If packages become unavailable then this is the risk of the developers workflow not because the defaults of the framework err on the side of failure. Besides this decoupling the act of specifying what dependencies I want from their actual resolved version number is pure developer joy. Consider a greenfield project and i want to use JSON.NET. Now I need to care about the version number. look up what is the lastest and write it down explicitly. If dnx will start to allow * for minor and major versions i bet you a beer or two that most devs will just put Again the Paket workflow gives me both. Another issue is that dependencies versions are now strongly tied to projects not as a repos as a whole. How do I make sure all my project.json's reference the same I would love to hear which scenario's you feel are not servicable using the Paket workflow? Then hopefully someone other then me can refute that better than I have been doing so far :) |
|
@Mpdreamz yes currently paket plays the role of a global dependency manager which helps you understand dependencies in the whole solution. We currently see no way to do the same with vnext projects.
|
is it possible to just create that file and leave dependencies block in project.json empty? we could gitignore *.lock.json then |
Just adding myself to the group that thinks this is crucial before RTM's - and this file should be created by default (!).
A lot of companies host their own local/private NuGet feed exactly to make sure old versions of packages will be available at any point in the future. Also a number of devs will actually commit the NuGet package to source control, for the same reason (which could make a lot of sense for folks using Git LFS). I'll just leave this here in the hope that we learn from the Rails devs ;)
|
|
Closed? What's the resolution? |
|
Dnx has been dead for over a year now. Best to open an issue on nuget about creating a true lock file. In csproj what used to be the lock file is now the assets file and in the obj folder. |
I've read this gist on checking in project.lock files a couple times over and I really feel the current locking design feels optimized for the wrong scenario: finding breaking changes in moving targets. Whereas the more important default scenario should be repeatable builds.
To the best of my understanding the current project.json.lock now serves two purposes, caching the files in play for compilation and optionally locking dependencies using
--lock.This results in a bit of a operational kerfuffle. When do i need to restore using
--lock? Do I need to unignore lock files in release tags, and if so is this not important on dev branch too? if I branch of those tags should i remove the lock file on the first change?What if locking is simply the norm just as it is in Paket?
Restore writes a very minimal
project.lock.json(look at Paket for an example) if not present that you should always commit (eradicating both--lockandlock:falseconfusion).When dnx runs the app for the first time it will generate a
.project.cache.jsonwhich you should never commit.If folks want to check fast moving targets on a CI server they could do
dnu restore --lateston the CI servers explicitly.dnu restore --latestupdates all*dependenciesdnu restore --updateupdates all dependencies to latestdnu restore --outdatedsimply reports on packages that are outdatedTo be fair the wiki does not dictate not checking
project.lock.json files but does leave it up in the air without a consistent story.Even if we do not make locking the norm a split will really help those who do choose to commit the lock file to not be faced with merge conflicts in the cached files section of this lock file.
The text was updated successfully, but these errors were encountered: