-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Isaacs/install finish #1245
Isaacs/install finish #1245
Conversation
Ok, just had a "how hard could it be? 🤷♂️" moment, and took a crack at doing this in cli. Yeah, no. It needs to be an arborist thing. The thing that's there is kind of broken/incomplete anyway, and I don't want to reimplement half of reify outside of Arborist, that sense makes not any. |
ah great, I see it fixes #1234 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a small comment, otherwise everything LGTM 👍
Notes:
- Let's add tests later, make sure we also have 100% coverage across the cli
- Some of the builds are currently broken with an exit signal on install 🤔 is that expected?
|
||
if (npm.flatOptions.depth !== Infinity) { | ||
log.warn('update', 'The --depth option no longer has any effect. See RFC0019.\n' + | ||
'https://github.com/npm/rfcs/blob/latest/accepted/0019-remove-update-depth-option.md') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd prefer to be even more cautious and link to: https://github.com/npm/rfcs/blob/ea2d3024e6e149cd8c6366ed18373c9a566b1124/accepted/0019-remove-update-depth-option.md instead
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm! I considered that, but I figured if we ever update it or something, we'd want to have the user see the latest and greatest version, no?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would still prefer linking to the commit as I can see many possible problematic things happening:
- what if us (or a future team working on this repo) decides to rename branches?
latest
tomaster
, etc - what if someone at a point in future decides to rename the
accepted
folder? - what if that rfc gets withdrawn and/or moved to a diff folder?
Although it seems unlikely in the near-future, I had been bitten by these sorts of changes in the past and I grew to really appreciate linking to the commit blob links instead, just by seeing these things actually happening 😊
but then again I also see that the chance of this message changing before any of the aforementioned happening is also really high 😄
ooohh actually might be a good idea to rebase |
cd6840b
to
e57a991
Compare
This adds support for Arborist.audit()
This adds a 'reify-output.js' util, which can be passed any Arborist object after it reifies a tree. Consistent output is printed in all cases, showing the number of packages added/removed/changed, packages needing funding, and a minimal (but always actionable and relevant) audit summary. The only code using the Installer class now is in lib/outdated.js, which is has a pending update coming soon. Prune and dedupe commands are awaiting top-level Arborist methods, so that they can be similarly tightened up. (For now, this commit just has them fail with a 'coming soon' message.) The last piece holding the 'install/*.js' code in this repo is that it is used in 'ls', 'fund', 'shrinkwrap', and the error-message util.
We buffer the output for scripts, and throw it away if the failure is not something we have to care about. But if we DO have to care about it, it's important to show it. This is a bare-minimum approach. The error handling stuff here could use a careful refactor, and it'd be nice if @npmcli/promise-spawn put something more definitive on the error it returns, so that we didn't have to duck-type it like this.
01300dd
to
56a688a
Compare
PR-URL: #1245 Credit: @isaacs Close: #1245 Reviewed-by: @ruyadorno
Landed on release/v7.0.0-beta. Thanks! |
Big red diff day!
Sorry for the massive drop. The main things going on here:
arborist.reify()
have been ported to actually use Arborist (except forprune
anddedupe
that are blocked by Arborist lacking those features for the moment.) That is: install, ci, rm, update, audit, audit fix.util/reify-output.js
module is added, which all of these call to produce consistent output after operation.npm audit
is almost where it needs to be, but Arborist.audit() and npm-audit-report need to be made aware that bundled deps can't be fixed withnpm audit fix
.npm audit fix
, it'll print a full audit, so you don't have the annoying behavior of runningnpm audit fix
and having it tell you to runnpm audit fix
again. (Also: it'll only suggest runningnpm audit fix
if there's actually something that can be fixed, andnpm audit fix
can fix transitive meta-dependency issues no matter how deep!)npm shrinkwrap
is updated to use Arborist, so that it will always update the shrinkwrap to the latest and greatest lockfileVersion.Unfortunately, we still can't fully remove the
lib/install/
folder, because it's being used by ls, fund, andutil/error-message.js
. But almost!Next up for pieces keeping lib/install/*.js and lib/fetch-package-metadata.js around:
prune
in Arboristdedupe
in Arboristrebuild
in Arborist (or, if not a top-level arborist method, implement it using Arborist.loadActual() and bin-links instead; but it really feels like it might be more under Arborist's charter than the cli's.)