Validate NodeJS repo's yarn.lock is in sync with package.json #293
Labels
Comments
|
👍 We definitely want to have similar check for Python's pip package. |
lolski
pushed a commit
to lolski/dependencies
that referenced
this issue
Oct 7, 2022
## What is the goal of this PR? Rewrite `assemble_maven` in Kotlin in order for us to understand it better and improve its maintability/readability. ## What are the changes implemented in this PR? Implement `assemble_maven` in `@graknlabs_bazel_distribution//maven:new_rules.bzl`
|
In my experience, @flyingsilverfin , running That being said, this issue still holds value because we want to verify that the developer has actually run Also, I don't see how this is relevant in |
alexjpwalker
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue to Solve
Goal: make the developer re-generate
package-lock.jsonfrom scratch every timepackage.jsonis changed.In the NPM environment, it's possible that a
package.json, which is the source of truth, is updated with new versions. However, thepackage-lock.json, which should update when runningnpm install(this is also run viabazel buildin our node-based repositories), may not necessarily change - notably when the installed package in thelockfile do not contradict the new versions required in thepackage.json[note: this is our experience testing with NPM version 7.16.0].This happens often in the Node environment, unlike in Maven, because using range dependencies is conventional especially in transitive dependencies, for example:
Continously regenerating the lock file from scratch negates the point of having a lock file, as two weeks later, for the same commit, newer transitive dependencies could be available and installed and the commit is no longer hermitic.
Thus, the best solution we have is to completely regenerate the
lockfile every time thepackage.jsonfile is modified by the developer, allowing us to have hermitic commits, but also use the latest version of every dependency whenever thepackage.jsonis updated.Proposed Solution
Write two new bazel rules to address this problem, which can be utilised locally and in CI:
check: ensure that the hash ofpackage.jsoncontents matches recorded hash inpackage-lock.jsonsync: re-generate the package-lock.json from scratch (delete - runnpm install), and add the hash of the sourcepackage.jsoninto this file.The intended workflow in CI is to:
checkpasses. Ifcheckfails, tell the user to runsyncto regenerate thepackage-lock.jsonWITH the hash of thepackage.jsoncontents (ie. usingnpm installwill not be sufficient) and make a new commit.Other
we may want to apply something similar in Python!
we probably don't see this issue with dependencies coming up when constantly re-generating the maven snapshots because the Java convention appears to be to not use dependency version ranges nearly as much!
The text was updated successfully, but these errors were encountered: