Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Ensure a single copy of @pulumi/pulumi dependency #178

Closed
wants to merge 1 commit into from
Closed

chore: Ensure a single copy of @pulumi/pulumi dependency #178

wants to merge 1 commit into from

Conversation

t0yv0
Copy link
Member

@t0yv0 t0yv0 commented Dec 18, 2024
edited
Loading

Having two versions of @pulumi/pulumi linked into the provider may cause problems.

See for example:

Two versions of @pulumi/pulumi may be installed if @pulumi/aws dependency contradicts the direct dependency on that package.

This change takes advantage of a YARN specific feature called "resolutions" that will make sure that only one version, the one specified in resolutions, is selected by YARN for the lockfile:

https://yarnpkg.com/lang/en/docs/selective-version-resolutions/

When using NPM, a similar feature is called overrides.

https://docs.npmjs.com/cli/v9/configuring-npm/package-json#overrides

@t0yv0
chore: Ensure a single copy of @pulumi/pulumi dependency
e866286 
Having two versions of `@pulumi/pulumi` linked into the provider may cause problems.

See for example:

    pulumi/pulumi#18057 (comment)
    #177

Two versions of `@pulumi/pulumi` may be installed if `@pulumi/aws` dependency contradicts the direct dependency on that package.

This change takes advantage of a YARN specific feature called "resolutions" that will make sure that only one version,
the one specified in resolutions, is selected by YARN for the lockfile:

    https://yarnpkg.com/lang/en/docs/selective-version-resolutions/

When using NPM, a similar feature is called overrides.

    https://docs.npmjs.com/cli/v9/configuring-npm/package-json#overrides
@t0yv0 t0yv0 requested a review from blampe December 18, 2024 20:42
@t0yv0
Copy link
Member Author

t0yv0 commented Dec 18, 2024

Alternatively, I think if we have a model where "@pulumi/pulumi": "3.142.0" dependency is a range like "@pulumi/pulumi": "^3.142.0" but we do continue to check in the lockfile, that could work as well, as I think YARN would select a single version of @pulumi/pulumi and the problem would be avoided.

@t0yv0
Copy link
Member Author

t0yv0 commented Dec 18, 2024

The question is which is easier for Renovate to work with/configure properly? Does it understand to update "resolutions" or we can instead prefer to configure it to leave a version range in package.json here?

@t0yv0 t0yv0 mentioned this pull request Dec 18, 2024
Merged
@t0yv0
Copy link
Member Author

t0yv0 commented Dec 19, 2024

CC @flostadler

@t0yv0
Copy link
Member Author

t0yv0 commented Dec 19, 2024

CC @corymhall

@flostadler
Copy link
Contributor

You can check (and clean) duplicate entries in a yarn lock file using yarn-deduplicate. See how we're doing that in awsx: https://github.com/pulumi/pulumi-awsx/blob/0f52a8d59dfe7ad4949cfbca6750d7cca1c4960a/awsx/package.json#L22-L23

@t0yv0
Copy link
Member Author

t0yv0 commented Dec 19, 2024

I think this makes more sense.

I have done some searching:

yarn dedupe: https://yarnpkg.com/cli/dedupe

Yarn v2 supports package deduplication natively, so yarn-deduplicate only works with Yarn v1

We use yarn v1 because it is the default on ubuntu-latest images it seems:

https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Readme.md#package-management

The are some suggestions online that "resolutions" might backfire; also I am still not sure how to teach Renovate to bump "resolutions". So I will try this other alternative you are suggesting, use yarn-deduplicate and then I think we can ensure Renovate runs after touching this yarn.lock.

@t0yv0 t0yv0 closed this Dec 19, 2024
@t0yv0 t0yv0 mentioned this pull request Dec 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blampe blampe Awaiting requested review from blampe

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@t0yv0 @flostadler