Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: fail early on impossible shrinkwrap #13899

Merged
merged 4 commits into from
Mar 31, 2021
Merged

chore: fail early on impossible shrinkwrap #13899

merged 4 commits into from
Mar 31, 2021

Conversation

rix0rrr
Copy link
Contributor

@rix0rrr rix0rrr commented Mar 31, 2021

If the resolved version of a package (the one we force using Yarn)
does not match the required version of a package (the one in
package.json), then NPM ignores the resolved version and installs
the package from the requires list anyway, even if it's processing
a shrinkwrap file.

Unfortunately, sometimes we have to force this situation, such as with
the netmask issue, where the required version is declared at ^1.0.6
but we need to force it to be resolved to 2.0.1.

Detect this situation early and bail out, so that we don't try to ship something
that doesn't have the version resolution we expected to ship.


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

If the **resolved** version of a package (the one we force using Yarn)
does not match the **required** version of a package (the one in
`package.json`), then NPM ignores the resolved version and installs
the package from the `requires` list anyway, *even* if it's processing
a shrinkwrap file.

Unfortunately, sometimes we have to force this situation, such as with
the `netmask` issue, where the required version is declared at `^1.0.6`
but we need to force it to be resolved to `2.0.1`.

Put simply, if resolved does not match required:

* NPM assumes *resolved* is wrong and will install *required*.
* We need it to just install *resolved* and not think too much.

We achieve this by overwriting what's in *required* in the shrinkwrap
file if we encounter this situation.
@rix0rrr rix0rrr requested a review from a team March 31, 2021 09:28
@rix0rrr rix0rrr self-assigned this Mar 31, 2021
@gitpod-io
Copy link

gitpod-io bot commented Mar 31, 2021

@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Mar 31, 2021
@nija-at nija-at added the pr/do-not-merge This PR should not be merged at this time. label Mar 31, 2021
nija-at
nija-at previously approved these changes Mar 31, 2021
// On the root, 'requires' is the value 'true', for God knows what reason. Don't care about those.
if (typeof entry.requires === 'object') {

// For every 'reuqires' dependency, find the version it actually got resolved to and compare.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// For every 'reuqires' dependency, find the version it actually got resolved to and compare.
// For every 'requires' dependency, find the version it actually got resolved to and compare.


if (!semver.satisfies(resolvedPackage.version, range)) {
// NPM would not like this. Make sure it does.
entry.requires[name] = `^${resolvedPackage.version}`;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will caret interfere when we are force-downgrading? Should it just be the specific version rather than caret?

@nija-at nija-at dismissed their stale review March 31, 2021 11:36

see comment

@nija-at
Copy link
Contributor

nija-at commented Mar 31, 2021

Our tests show that while an npm install does work as we would expect it to, npm ls is unhappy and complains about the incompatibility.

@rix0rrr rix0rrr changed the title chore: force shrinkwrap to accept incompatible versions chore: fail early on impossible shrinkwrap Mar 31, 2021
@rix0rrr rix0rrr requested a review from nija-at March 31, 2021 14:17
@rix0rrr rix0rrr removed the pr/do-not-merge This PR should not be merged at this time. label Mar 31, 2021
@iliapolo iliapolo added the pr/do-not-merge This PR should not be merged at this time. label Mar 31, 2021
tools/yarn-cling/test/cling.test.ts Outdated Show resolved Hide resolved
Co-authored-by: Eli Polonsky <epolon@amazon.com>
@rix0rrr rix0rrr removed the pr/do-not-merge This PR should not be merged at this time. label Mar 31, 2021
@mergify
Copy link
Contributor

mergify bot commented Mar 31, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
  • Commit ID: 4ada04c
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Mar 31, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 93dac4c into master Mar 31, 2021
@mergify mergify bot deleted the huijbers/cling-it branch March 31, 2021 17:05
hollanddd pushed a commit to hollanddd/aws-cdk that referenced this pull request Mar 31, 2021
If the **resolved** version of a package (the one we force using Yarn)
does not match the **required** version of a package (the one in
`package.json`), then NPM ignores the resolved version and installs
the package from the `requires` list anyway, *even* if it's processing
a shrinkwrap file.

Unfortunately, sometimes we have to force this situation, such as with
the `netmask` issue, where the required version is declared at `^1.0.6`
but we need to force it to be resolved to `2.0.1`.

Detect this situation early and bail out, so that we don't try to ship something
that doesn't have the version resolution we expected to ship.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
hollanddd pushed a commit to hollanddd/aws-cdk that referenced this pull request Aug 26, 2021
If the **resolved** version of a package (the one we force using Yarn)
does not match the **required** version of a package (the one in
`package.json`), then NPM ignores the resolved version and installs
the package from the `requires` list anyway, *even* if it's processing
a shrinkwrap file.

Unfortunately, sometimes we have to force this situation, such as with
the `netmask` issue, where the required version is declared at `^1.0.6`
but we need to force it to be resolved to `2.0.1`.

Detect this situation early and bail out, so that we don't try to ship something
that doesn't have the version resolution we expected to ship.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
contribution/core This is a PR that came from AWS.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants