You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Problem: Users are unintentionally using older versions of node-gyp than the one included w/ NPM because their dependencies are resolving node-gyp to an older version. When node_modules/.bin/node-gyp is present, NPM always defaults to using that local version instead of the global version.
I'd like to start a discussion on this idea:
Is it possible to query the NPM registry, determine the dependent packages with the highest number of downloads, and then reach out to their GitHub repos to ensure that they bump node-gyp on every major release?
I've only entertained this idea for a short while, but it seems like contributors would have to:
Find/write some script to find the largest dependents of node-gyp, (e.g. canvas).
Write a GitHub app/workflow that bumps the declared version of node-gyp, and is triggered by every new major release of node-gyp.
Reach out to the GitHub repositories of the largest dependents, and contribute this app/workflow.
Finally, advertise this app/workflow to other repositories, so they can also keep their node-gyp versions up-to-date automatically.
While this doesn't guarantee that local versions of node-gyp will be up-to-date, this would significantly reduce the frequency of users reporting issues due to an older node-gyp version. This is because if multiple major versions of node-gyp are present, node_modules/.bin/node-gyp symlinks to the highest version of node-gyp.
Conclusion: For any package, just one dependency using the latest major version of node-gyp is sufficient. If this RFC were accepted, users will report outdated node-gyp versions far less frequently.
The text was updated successfully, but these errors were encountered:
https://docs.github.com/en/code-security/dependabot is the workflow that you are talking about and GitHub offers it free of charge to all open-source projects. There are numerous automated tools to keep deps in sync. (https://docs.renovatebot.com for example). Getting developers to implement these tools takes a ton of both time and patience.
Problem: Users are unintentionally using older versions of
node-gyp
than the one included w/ NPM because their dependencies are resolvingnode-gyp
to an older version. Whennode_modules/.bin/node-gyp
is present, NPM always defaults to using that local version instead of the global version.I'd like to start a discussion on this idea:
Is it possible to query the NPM registry, determine the dependent packages with the highest number of downloads, and then reach out to their GitHub repos to ensure that they bump
node-gyp
on every major release?I've only entertained this idea for a short while, but it seems like contributors would have to:
node-gyp
, (e.g.canvas
).node-gyp
, and is triggered by every new major release ofnode-gyp
.node-gyp
versions up-to-date automatically.While this doesn't guarantee that local versions of
node-gyp
will be up-to-date, this would significantly reduce the frequency of users reporting issues due to an oldernode-gyp
version. This is because if multiple major versions ofnode-gyp
are present,node_modules/.bin/node-gyp
symlinks to the highest version ofnode-gyp
.Conclusion: For any package, just one dependency using the latest major version of
node-gyp
is sufficient. If this RFC were accepted, users will report outdatednode-gyp
versions far less frequently.The text was updated successfully, but these errors were encountered: