-
-
Notifications
You must be signed in to change notification settings - Fork 359
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: update all the things #832
Conversation
This is required for security auditing.
@@ -6,4 +6,3 @@ test/build/ | |||
*.covered.js | |||
*.swp | |||
needs-transpile.js | |||
package-lock.json |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this necessary?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because it makes npm faster, enables security auditing, and allows maintainers to track changes to the dependency tree in use during development. npm update
works great with it (and faster) to bring everything up to latest and greatest semver. And git conflicts are automatically resolved by npm. There's no reason not to use it, and several reasons to enable it and keep it in source control.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We often use the yarn cache on Travis CI and it just makes it faster with npm ci and this also introduces some overhead in many repos ;-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
npm ci
requires having a package-lock.json file present, so it's pretty important to be able to check it into the repo!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know =) But we have to manage 2 lockfiles then (which is not always the best solution). Just saw now that you created and founded npm =)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because @latest
would have been 6.0.0 afaik.
Many projects have two lockfiles, use snyp and alternatives and there is a big thread against adding package-lock in libraries (consumers get different or not latest dependencies).
This is what I know so far from the community ;-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You mean, they have two files both named package-lock.json
in the root of the project? I don't understand how that's even possible, I must be misunderstanding you.
There is no reason to not include package-lock.json
in libraries. It's never published, and in practice, it makes debugging the rare issues caused by mismatched dependencies easier, because you can tell what the differences are.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You mean, they have two files both named package-lock.json in the root of the project?
No, yarn.lock + package-lock.json like we have it here now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See sindresorhus/ama#479 (comment) and other comments regarding packages / libraries (not apps).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And still do not understand the downgrade from npm 6 to npm 5. Oh please enlighten me master =)
106dbe9
to
5d50415
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this looks good to me, once tests pass; @DanielRuf once this lands, let's rebase the pull requests you have open against it.
@@ -5,7 +5,7 @@ environment: | |||
install: | |||
- ps: Install-Product node $env:nodejs_version | |||
- npm cache clear | |||
- npm i npm@latest -g | |||
- npm i npm@5 -g |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why 5 instead of 6 in this PR? That's what I've meant. It's basically a downgrade from 6 to 5. Or am I wrong? =)
Some test failures.