-
Notifications
You must be signed in to change notification settings - Fork 3k
shrinkwrap "extraneous" error should be a warning #11040
Comments
While this would be useful in some cases, it undermines the primary goal of shrinkwrapping, which is producing reproducible builds. If we were to relax that to a warning, it would be a footgun that would be very easy to ignore. Thanks for writing this up and pulling together those other issues! |
@othiym23 Would it really undermine the goal of producing reproducible builds? I don't think it would if the allegedly extraneous modules were included in the shrinkwrap, right? |
I believe that it would, for the simple reason that it's very easy to brush off warnings and assume that you know that none of them are going to affect your app when you deploy it, and then later find out that you actually needed one of those "extraneous" dependencies to produce a working deploy.
|
"later find out that you actually needed one of those "extraneous" dependencies to produce a working deploy" How would you find that out if that "extraneous" dependency is added into your shrinkwrap, and therefore in your deployment? The way I use shrinkwrap is to ensure that all the devs are using the same versions of libraries. Npm isn't in any way involved in the deployment, and shouldn't be. It ensures that we don't have he-said she-said issues where a bug is reproducible on one dev's machine and not on others. As such, we shrinkwrap every module change. While I'm sure we're doing things a bit differently than most people, I can't think of a case where including extraneous libraries with a warning would cause problems. That said, if npm fixes its bugs and becomes stable enough where I stop seeing bugs, I'm fine with that too ; ) |
This is annoying. I have some transient dependencies in another project that is shrinkwrapped and am stuck with extraneous errors due to dependencies in the subprojects not being listed in the package.json of the top level project. |
Npm should not be erroring shrinkwrap because it believes you have extraneous modules. Especially when npm is bugging out in a few different ways #11039 #4435 #6298 #10073 #2679 #5135 . This should just be a warning and shouldn't block creation of the shrinkwrap. The shrinkwrap should be created with all the modules (extraneous or not) tho.
The text was updated successfully, but these errors were encountered: