Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The "why?" part is missing. Either it's obvious why it shouldn't be done, and there's no need to add this to the readme, or it's not, and that should be explained.
My use case is publishing a CLI application and use patch-package to fix some of the dependencies. It has worked fine for years but lately there's a bug and when I search for some info there's the same "it's not safe" being repeated many times, but it's not explained why or what should be the alternative.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good question. I don't know the why either. I just saw this comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe it is because patches are applied to a specific file in your
node_modulesfolder, but when a package is installed by end users the node_modules dependency tree may shift things around, and this shifting could be due to factors that can't be controlled bypatch-package.Also, if the dependency you are patching is also imported by the user of your package, patch package shouldn't patch that version of the package... which is not really possible, at least not without some really weird shenanigans.
To work around this issue I used package.json's
bundleDependenciesto include the actual dependency I patched in my published package.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@davidmurdoch Nice! By the way, I've used
bundleDependenciesin the past for something else in the past, it works well with npm but I've met an issue with yarn...There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good to know!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for clarifying @davidmurdoch, perhaps your comment or a shortened version of it could be included in the readme?