Sync deps and engines with npm #2770
Conversation
lukekarrys
changed the title
lukekarrys
force-pushed
the
engines-and-deps
branch
from
9b293b4
to
e33ee18
Compare
|
#2772 addresses the test failures which are unrelated to the changes in this PR |
|
Also if this PR gets accepted, my other PR (#2771) should be reviewed first as I'd want it to make it into the |
lukekarrys
force-pushed
the
engines-and-deps
branch
from
e33ee18
to
6b5651c
Compare
|
@nodejs/node-gyp friendly ping to review this if possible. there's no timeframe, but this refactor will eliminate all non-deduped dependencies within |
lukekarrys
force-pushed
the
engines-and-deps
branch
from
6b5651c
to
665e446
Compare
|
Rebased against |
|
ooof, this is a big changeset, which makes it hard to review; I suspect you're going to have to be very patient trying to get someone to review this, I certainly don't have time to look at this in the immediate future unfortunately. Nice to see all of this done, but doing it all in one go means that the chances of getting it in in a decent timeframe are quite low. |
|
@rvagg i appreciate the comment and agree that the size of the diff is very big. i can break it up into multiple PRs and will consider the best way to do that in order to make reviewing easier. if you have any thoughts on what you would like to see there, please let me know. off the top of my head and i could do the dev deps and linting separately since those changes are 90% automated. and the biggest functional difference is the logging which i could break out as well. the biggest sticking point is that some of the PRs will need to be stacked since for example the logging change can’t be linked with the current version of |
|
Also if it helps you @rvagg I actually took the time to review the changes and it all looks good to me. While I'm not an owner in this repo, hopefully having another collaborator pair of eyes might help. |
|
i'll also add that the commits are ordered and separated very closely to how i would separate them into different PRs, and the ones i linked in the body are the most relevant to a reviewer. but i understand that the github ui leaves something to be desired when reviewing individual commits within a PR |
|
@rvagg plans for this? Happy it takes over my promisify prs |
|
Sorry to suddenly interrupt, but this PR seems stuck, and a security update here depends on it: #2796 (comment) Reading lerna/lerna#3605 indicates waiting for review, but scrolling up a but shows code comments that make it look like this review has already happened. Is github not showing everything? Regardless, what would be required for this to progress? I'm asking because it's related to a security issue, which if I'm reading it right cannot be resolved until this PR is finished and merged: https://nvd.nist.gov/vuln/detail/CVE-2022-25881 Apologies if this comes off strong, it's not my intent. It's just something I noticed a while back and it seems there's no movement. Thought I'd shake the grapevine a bit. Is there someone who needs to get involved in this that has perhaps lost track of it? It happens. |
|
Hey @imatlopez are you able to help review this? It really needs someone with the time and experience with this codebase to walk through it and give it the 👍. I'm unlikely to be able to find any time to do this but on the surface it seems like a worthwhile set of changes, just too much. |
|
I should acknowledge that @ruyadorno also walked through this, that's helpful. It would be good if we had more than one person who's name's familiar around here to give this a tick. This code goes out to a lot of people so we can't ship big changes lightly. |
|
@lukekarrys you have conflicts in the pr, @rvagg gave it another pass today and besides those two comment, it looked ok to me. |
|
I will resolve the conflicts and address the comments this week. |
lukekarrys
force-pushed
the
engines-and-deps
branch
from
8c4a100
to
98086ab
Compare
|
This PR has been rebased to fix conflicts with the latest commits in |
|
@imatlopez @rvagg Thank you both for your feedback on this PR. I believe I've addressed all the feedback presented so far and fixed the conflicts. CI was previously failing on what I believe was a flaky test, but I will wait and watch the currently running CI on this PR to ensure it all passes. |
This reverts commit 02480f6, thereby rolling back dependency make-fetch-happen from ^11.0.3 to ^10.0.3. The upgrade is breaking for node-fetch users as it has transitive dependencies with syntax incompatible with supported Node.js versions. Related: - nodejs#2770 - nodejs#2837 - nodejs#2816 - nodejs#2848 - nodejs#2827 - nodejs#2796
|
Thanks for all your work on this @lukekarrys! Looking forward to this landing! |
|
@lukekarrys seems this has new conflicts @rvagg once those are resolved is merge on the table? |
- this also promiisifies the build command
lukekarrys
force-pushed
the
engines-and-deps
branch
from
98086ab
to
0f75796
Compare
|
Thanks for the heads up @imatlopez! I rebased this PR to fix all the conflicts. Note that the original body of the PR is also updated with the latest commit links. The only real change to fix the conflicts was to drop the commit updating |
|
I'd imagine 2 windows tests are failing (but not all so flaky?) |
|
Re-running the two failed visual studio jobs. |
|
@cclauss Thanks a lot for rerunning, looks like this is good to go now? (This issue indirectly causes a warning on every fresh lerna repo, that's why I'm particularly invested in its outcome 😄) |
|
@JamesHenry , @KoenDG Please |
|
@cclauss I'm not part of the nodejs org, nor remotely familiar with this codebase, so I don't think my review carries much weight here! I'm just happy to see a resolution and if @lukekarrys is happy with it that's good enough for me |
|
The plan is to release this as v10.0.0 sometime in the next couple weeks. Thanks for your patience @JamesHenry. |
This reverts commit 02480f6, thereby rolling back dependency make-fetch-happen from ^11.0.3 to ^10.0.3. The upgrade is breaking for node-fetch users as it has transitive dependencies with syntax incompatible with supported Node.js versions. Related: - nodejs#2770 - nodejs#2837 - nodejs#2816 - nodejs#2848 - nodejs#2827 - nodejs#2796
feat!: update engines.node to ^14.17.0 || ^16.13.0 || >=18.0.0 deps: nopt@^7.0.0 feat: replace npmlog with proc-log deps: standard@17.0.0 and fix linting errors deps: which@3.0.0 fix: promisify build command deps: glob@8.0.3 feat: drop rimraf dependency fix: use fs/promises in favor of fs.promises
Checklist
npm install && npm testpassesDescription of change
The main purpose of this PR is to update dependencies in order to dedupe as many deps as possible within
npm. As can be seen in thenpm/clisource there are a number of dependencies that end up nested withinnode-gyp/node_modulesdue to conflicting versions.To accomplish this a number of other changes were made:
fe5b13aBREAKING CHANGE updateengines.nodeto^14.17.0 || ^16.13.0 || >=18.0.0a729c15Updatestandardto work with newer JS syntax and fix new lint errors9ccc66dThe @npm/cli-team team will be deprecatingnpmlogsoon, so this PR drops that dependency in favor ofproc-log+ an otherwise dependency-less custom logger that includes the subset of functionality fromnpmlogused bynode-gypd485f1bPromisifies thebuildcommand sincewhich@3.0.0is promise only02fc75dPromisifies theremoveandcleancommands after droppingrimrafin favor of native recursive rm withfs.promises.rmCommits
Each commit in the PR is a separate unit of work and I'd be happy to break it up if this is too difficult to review as is.
Reference issues/PRs
After doing the above, I looked through the list of open issues and PRs and identified the following that would either be closed or superseded by this PR.
Closes #2753
Closes #2647
Closes #2358
Closes #2357
Closes #2756
Closes #2379
Closes #2225
BEGIN_COMMIT_OVERRIDE
feat!: update
engines.nodeto^14.17.0 || ^16.13.0 || >=18.0.0deps: nopt@^7.0.0
feat: replace npmlog with proc-log
deps: standard@17.0.0 and fix linting errors
deps: which@3.0.0
fix: promisify build command
deps: glob@8.0.3
feat: drop rimraf dependency
fix: use fs/promises in favor of fs.promises
END_COMMIT_OVERRIDE