-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: fail early on impossible shrinkwrap #13899
Conversation
If the **resolved** version of a package (the one we force using Yarn) does not match the **required** version of a package (the one in `package.json`), then NPM ignores the resolved version and installs the package from the `requires` list anyway, *even* if it's processing a shrinkwrap file. Unfortunately, sometimes we have to force this situation, such as with the `netmask` issue, where the required version is declared at `^1.0.6` but we need to force it to be resolved to `2.0.1`. Put simply, if resolved does not match required: * NPM assumes *resolved* is wrong and will install *required*. * We need it to just install *resolved* and not think too much. We achieve this by overwriting what's in *required* in the shrinkwrap file if we encounter this situation.
tools/yarn-cling/lib/index.ts
Outdated
// On the root, 'requires' is the value 'true', for God knows what reason. Don't care about those. | ||
if (typeof entry.requires === 'object') { | ||
|
||
// For every 'reuqires' dependency, find the version it actually got resolved to and compare. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// For every 'reuqires' dependency, find the version it actually got resolved to and compare. | |
// For every 'requires' dependency, find the version it actually got resolved to and compare. |
tools/yarn-cling/lib/index.ts
Outdated
|
||
if (!semver.satisfies(resolvedPackage.version, range)) { | ||
// NPM would not like this. Make sure it does. | ||
entry.requires[name] = `^${resolvedPackage.version}`; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will caret interfere when we are force-downgrading? Should it just be the specific version rather than caret?
Our tests show that while an |
Co-authored-by: Eli Polonsky <epolon@amazon.com>
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
If the **resolved** version of a package (the one we force using Yarn) does not match the **required** version of a package (the one in `package.json`), then NPM ignores the resolved version and installs the package from the `requires` list anyway, *even* if it's processing a shrinkwrap file. Unfortunately, sometimes we have to force this situation, such as with the `netmask` issue, where the required version is declared at `^1.0.6` but we need to force it to be resolved to `2.0.1`. Detect this situation early and bail out, so that we don't try to ship something that doesn't have the version resolution we expected to ship. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
If the **resolved** version of a package (the one we force using Yarn) does not match the **required** version of a package (the one in `package.json`), then NPM ignores the resolved version and installs the package from the `requires` list anyway, *even* if it's processing a shrinkwrap file. Unfortunately, sometimes we have to force this situation, such as with the `netmask` issue, where the required version is declared at `^1.0.6` but we need to force it to be resolved to `2.0.1`. Detect this situation early and bail out, so that we don't try to ship something that doesn't have the version resolution we expected to ship. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
If the resolved version of a package (the one we force using Yarn)
does not match the required version of a package (the one in
package.json
), then NPM ignores the resolved version and installsthe package from the
requires
list anyway, even if it's processinga shrinkwrap file.
Unfortunately, sometimes we have to force this situation, such as with
the
netmask
issue, where the required version is declared at^1.0.6
but we need to force it to be resolved to
2.0.1
.Detect this situation early and bail out, so that we don't try to ship something
that doesn't have the version resolution we expected to ship.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license