Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use strict versions for internal depedencies #10709

Closed
alexandernanberg opened this issue Oct 26, 2020 · 9 comments
Closed

Use strict versions for internal depedencies #10709

alexandernanberg opened this issue Oct 26, 2020 · 9 comments
Labels
Discussion Infrastructure 🛠️ Stale

Comments

@alexandernanberg
Copy link

🐛 Bug Report

Jest currently uses ^ for all it's internal dependencies which causes issues if there is a bug in a minor/patch release and you want to revert.

E.g. jest has a dependency on @jest/core ^26.5.3, so installing from scratch without a lockfile isn't deterministic if you are using an outdated version of jest.

Most of this can be solved by a lockfile but then you can't refresh the lockfile for other dependencies.

To Reproduce

Steps to reproduce the behavior:

  • Install jest@26.5.3
  • Open yarn.lock and see that @jest/core@26.6.1 was installed

Expected behavior

I think it would be reasonable if the internal packages would use strict versions, e.g @jest/core 26.5.3 instead of @jest/core ^26.5.3

Which results in the consumer's desired version being installed

Link to repl or repo (highly encouraged)

N/A

envinfo

  System:
    OS: macOS 10.15.7
    CPU: (16) x64 Intel(R) Core(TM) i9-9880H CPU @ 2.30GHz
  Binaries:
    Node: 12.19.0 - ~/.nvm/versions/node/v12.19.0/bin/node
    Yarn: 1.22.5 - /usr/local/bin/yarn
    npm: 6.14.8 - ~/.nvm/versions/node/v12.19.0/bin/npm
@SimenB
Copy link
Member

SimenB commented Oct 26, 2020

Yep, this is actually a change I was planning to make for Jest 27 🙂 Haven't discussed it with the team yet, tho.

@jeysal @thymikee thoughts?

@thymikee
Copy link
Collaborator

Lerna bumps deps in package.json in sync with the real ones, so whenever a user upgrades jest, our transitive dependencies will be updated as well and reflected in the lock file. I'm in favor of this.

@jeysal
Copy link
Contributor

jeysal commented Oct 26, 2020

I'm not convinced. If it were 26.x.x i.e. any version of the same major, including lower versions, that would of course be a problem since you may be missing out on new features (and also it'd sometimes just break since Jest packages depend on new features in other Jest packages), but allowing higher versions seems okay to me.
I'm aware locking the version of the packages will usually only force duplication if someone else also does (or wants at least a higher version, e.g. jest and all deps are locked at 27.1.2 and someone else wants jest-worker@^27.2.0), but even then I wouldn't say we have more of a right to do that because we're Jest itself.
I understand that in the case of bugs it can be annoying, but I don't want such accidents to make us abandon a benefit of semver. It sets a bad precedent - as soon as a second major dependent of jest-worker or pretty-format or something does this everyone gets duplication.

@SimenB
Copy link
Member

SimenB commented Oct 26, 2020

We could do it selectively on different packages. We've had bugs with people using a jest-runtime on a newer version of jest-runner and getting weird bugs.

But "commonly consumed" (whatever that means) packages like pretty-format, jest-diff and jest-worker could probably still use ranged? Not sure.

I'm more concerned about reducing bugs than reducing bloat in node_modules - the consumer can dedupe if they want

@jeysal
Copy link
Contributor

jeysal commented Oct 26, 2020

the consumer can dedupe if they want

Well that's the thing, as soon as one other dependent specifies a different fixed version, they can't just dedupe anymore because the versions ranges don't overlap. yarn dedupe won't catch it anymore, and if you even notice, only overriding what the package.jsons say via resolutions or packageExtensions would actually dedupe. This would cancel out a big part of what semver usually achieves - allowing different versions of a package in a tree, but avoiding everyone in the tree getting a distinct one at the same time.

@alexandernanberg
Copy link
Author

@jeysal I see your point, but the problems that come with that are not worth it imo. E.g. right now we're struggling hard with #10716 and pinning jest to a prior version won't work since it automatically installs the latest version.

I'd guess that there will be more of these situations in the future too, e.g that jest@x.0.0 has subtle bugs when used with @jest/core@x.1.0 etc

@github-actions
Copy link

This issue is stale because it has been open for 1 year with no activity. Remove stale label or comment or this will be closed in 14 days.

@github-actions github-actions bot added the Stale label Feb 25, 2022
@github-actions
Copy link

This issue was closed because it has been stalled for 7 days with no activity. Please open a new issue if the issue is still relevant, linking to this one.

@broofa
Copy link
Contributor

broofa commented Feb 15, 2023

Please re-open. I'll direct your collective attention to #13909 for a real-world example of why the current behavior is harmful.

tl;dr: When a BREAKING CHANGE goes out in a minor release, there is no viable way of pinning jest to a non-broken version.

attn: @SimenB

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Discussion Infrastructure 🛠️ Stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@broofa @SimenB @thymikee @alexandernanberg @jeysal