shrinkwrap and optionalDependencies #2679
Comments
Same applies to |
Exactly, in current form npm-shrinkwrap is not optimal as using it installs dev dependencies when building deployment package what is far from optimal, also when hosting on azure or heroku shrinkwrapped dev deps are also being installed |
+1 -- we just ran into this problem. It loads dev dependencies in production which do not work.."precommit-hook" module for instance looks for the .git directory which doesn't exist and the whole thing fails. We've had to stop using shrinkwrap altogether. The different dependency groups should be separated in the shrinkwrap file so we can still install in production mode |
The devDependencies issue seems to be solved, they are no longer included by default, but it creates another problem similar to the optional dependency problem described above. If we don't include devDependencies in npm shrinkwrap by using npm shrinkwrap --dev then our build server cannot run the tests since the dev dependencies are not included. If we include the devDependencies in the shrinkwrap then the dev dependencies end up in production which we don't want. Would this be solved by the npm-shrinkwrap file having the same sections as the package.json? Instead of:
It could mimic the package.json:
Then it would be up to npm install and whether NODE_ENV is set to production if the devDependencies are actually installed or not. But the use case for optional dependencies is perhaps more complex then this since it's not an all or nothing deal? |
We ran into this issue as well. We basically want to shrinkwrap the production modules, and leave devDependencies and optionalDependencies in a loose state. There are a few issues:
I haven't tested with Is anyone working on this? I think it's quite important, now that we are supporting multiple platforms (Linux, OS X, and Windows) for development and production. We don't want to add node_modules to the git repository. |
No, I don't think anyone is working on it (to answer your question). It's On Wednesday, October 2, 2013, Bjarke Walling wrote:
|
I believe some of this was implemented a while back:
Try upgrading to the latest npm. |
the issue with optional dependencies still exists. if one of my dependencies contains:
and I run
during the subsequent |
We need to be able to build angular at older shas, without the lock file / shrinkwrap file the dependencies will resolve differently on different machines and at different times. This will help us avoid broken builds and hard to track down issues. I had to manually edit this file after it was generated because `npm shrinkwrap` will install optional dependencies as if they were hard dependencies. See: npm/npm#2679 (comment) My manual edit: diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json index 756df44..dc157eb 100644 --- a/npm-shrinkwrap.json +++ b/npm-shrinkwrap.json @@ -3110,19 +3110,7 @@ "chokidar": { "version": "0.8.1", "from": "https://registry.npmjs.org/chokidar/-/chokidar-0.8.1.tgz", - "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-0.8.1.tgz", - "dependencies": { - "fsevents": { - "version": "0.1.6", - "from": "fsevents@0.1.6", - "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-0.1.6.tgz" - }, - "recursive-readdir": { - "version": "0.0.2", - "from": "recursive-readdir@0.0.2", - "resolved": "https://registry.npmjs.org/recursive-readdir/-/recursive-readdir-0.0.2.tgz" - } - } + "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-0.8.1.tgz" }, "glob": { "version": "3.2.9",
We need to be able to build angular at older shas, without the lock file / shrinkwrap file the dependencies will resolve differently on different machines and at different times. This will help us avoid broken builds and hard to track down issues. I had to manually edit this file after it was generated because `npm shrinkwrap` will install optional dependencies as if they were hard dependencies. See: npm/npm#2679 (comment) My manual edit: ``` diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json index 756df44..dc157eb 100644 --- a/npm-shrinkwrap.json +++ b/npm-shrinkwrap.json @@ -3110,19 +3110,7 @@ "chokidar": { "version": "0.8.1", "from": "https://registry.npmjs.org/chokidar/-/chokidar-0.8.1.tgz", - "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-0.8.1.tgz", - "dependencies": { - "fsevents": { - "version": "0.1.6", - "from": "fsevents@0.1.6", - "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-0.1.6.tgz" - }, - "recursive-readdir": { - "version": "0.0.2", - "from": "recursive-readdir@0.0.2", - "resolved": "https://registry.npmjs.org/recursive-readdir/-/recursive-readdir-0.0.2.tgz" - } - } + "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-0.8.1.tgz" }, "glob": { "version": "3.2.9", ``` After this change is applied, developers don't need to do anything differently, except when updating dependencies we need to call `npm update && npm shrinkwrap --dev` followed by reappling my patch above until npm's bug.
We need to be able to build angular at older shas, without the lock file / shrinkwrap file the dependencies will resolve differently on different machines and at different times. This will help us avoid broken builds and hard to track down issues. I had to manually edit this file after it was generated because `npm shrinkwrap` will install optional dependencies as if they were hard dependencies. See: npm/npm#2679 (comment) My manual edit: ``` diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json index 756df44..dc157eb 100644 --- a/npm-shrinkwrap.json +++ b/npm-shrinkwrap.json @@ -3110,19 +3110,7 @@ "chokidar": { "version": "0.8.1", "from": "https://registry.npmjs.org/chokidar/-/chokidar-0.8.1.tgz", - "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-0.8.1.tgz", - "dependencies": { - "fsevents": { - "version": "0.1.6", - "from": "fsevents@0.1.6", - "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-0.1.6.tgz" - }, - "recursive-readdir": { - "version": "0.0.2", - "from": "recursive-readdir@0.0.2", - "resolved": "https://registry.npmjs.org/recursive-readdir/-/recursive-readdir-0.0.2.tgz" - } - } + "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-0.8.1.tgz" }, "glob": { "version": "3.2.9", ``` Additionally chokidar doesn't list the dependencies above as optional, but that will hopefully be soon fixed: paulmillr/chokidar#106 In the meantime the patch from the PR above needs to be applied to node_modules/karma/node_modules/chokidar/package.json before running `npm shrinkwrap` ---- After this change is applied, angular core developers don't need to do anything differently, except when updating dependencies we need to call `npm update && npm shrinkwrap --dev` followed by reappling my patch above until npm's bug. Closes #6653
We need to be able to build angular at older shas, without the lock file / shrinkwrap file the dependencies will resolve differently on different machines and at different times. This will help us avoid broken builds and hard to track down issues. I had to manually edit this file after it was generated because `npm shrinkwrap` will install optional dependencies as if they were hard dependencies. See: npm/npm#2679 (comment) My manual edit: ``` diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json index 756df44..dc157eb 100644 --- a/npm-shrinkwrap.json +++ b/npm-shrinkwrap.json @@ -3110,19 +3110,7 @@ "chokidar": { "version": "0.8.1", "from": "https://registry.npmjs.org/chokidar/-/chokidar-0.8.1.tgz", - "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-0.8.1.tgz", - "dependencies": { - "fsevents": { - "version": "0.1.6", - "from": "fsevents@0.1.6", - "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-0.1.6.tgz" - }, - "recursive-readdir": { - "version": "0.0.2", - "from": "recursive-readdir@0.0.2", - "resolved": "https://registry.npmjs.org/recursive-readdir/-/recursive-readdir-0.0.2.tgz" - } - } + "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-0.8.1.tgz" }, "glob": { "version": "3.2.9", ``` Additionally chokidar doesn't list the dependencies above as optional, but that will hopefully be soon fixed: paulmillr/chokidar#106 In the meantime the patch from the PR above needs to be applied to node_modules/karma/node_modules/chokidar/package.json before running `npm shrinkwrap` ---- After this change is applied, angular core developers don't need to do anything differently, except when updating dependencies we need to call `npm update && npm shrinkwrap --dev` followed by reappling my patch above until npm's bug. Closes #6653
+1 This is still a problem. |
+1 We just ran into this as well. |
This is now tagged onto the npm road map. I can't promise that this is something we'll get to immediately, but the npm CLI team does plan to address this within the medium term (6-12 months). It will probably require making some hard choices about how to handle this case in a robust way, and may end up being a semver-major change (in that shrinkwraps that fix this may end up not being interoperable with older versions of npm). Also, this is at least partially a duplicate of #6801. |
Hi @othiym23, my organization has also been suffering from this issue. I've read through the v3 source involved in installing and shrink-wrapping dependencies, and from a technical angle, it seems feasible to create a shrinkwrap process that can account for the installation failure of optional dependencies. The two scenarios that seem to require resolution are:
For the first scenario, would it be possible to simply check if the package's parent has it listed in its The second scenario seems a bit more complicated. It would seem that, during the shrinkwrap process, you would want to iterate through all optional dependencies, generating an I'm curious to know if there is anything glaringly infeasible about this approach. Given the impact this is having on my team, I'm invested in at least discovering if a resolution is possible, and contributing to the cause if it is. |
The workaround I've been doing is:
Not ideal, but easy-ish to automate, and not too difficult to manage. |
Thanks @lxe I've been doing the same and it works. |
… broken for us, see npm/npm#2679)
If this issue isn't going to get fixed, can we get something added to the caveats section of the documentation (https://docs.npmjs.com/cli/shrinkwrap#caveats) that npm shrinkwrap isn't meant to be used between different environments? The optionalDependencies documentation (https://docs.npmjs.com/files/package.json#optionaldependencies) should also be updated to say that it's not compatible with "npm shrinkwrap". It could save people a lot of time. I don't know how many this issue has bitten me. |
I really wish this wasn't just closed as "won't fix, the bug is now intended behavior". Documenting it as a caveat is fine, but not that it is not meant to be used between different environments, just that it isn't currently supported. At least I'm pretty sure the overwhelming majority of Mac developers don't use Mac servers for their production hosts. You would also have to get all your developers to run the same OS. Systems like Vagrant and Docker help, but requiring developing in a VM to be able to deal with shrinkwraps is not very nice. |
@JamieMason apparently this makes no difference, i've learned. |
fsevents is macOS only, and npm-shrinkwrap tries to force it onto other architectures, causing build failures. Upstream: npm/npm#2679. fixes #38657 for the 4.7 branch. Built from https://develop.svn.wordpress.org/branches/4.7@39368 git-svn-id: http://core.svn.wordpress.org/branches/4.7@39308 1a063a9b-81f0-0310-95a4-ce76da25c4cd
fsevents is macOS only, and npm-shrinkwrap tries to force it onto other architectures, causing build failures. Upstream: npm/npm#2679. fixes #38657 for the 4.7 branch. Built from https://develop.svn.wordpress.org/branches/4.7@39368 git-svn-id: http://core.svn.wordpress.org/branches/4.7@39308 1a063a9b-81f0-0310-95a4-ce76da25c4cd
I'm not sure if this actually makes a difference, though. See the following issues for more info: * npm/npm#3870 * npm/npm#2679
fsevents is macOS only, and npm-shrinkwrap tries to force it onto other architectures, causing build failures. Upstream: npm/npm#2679. fixes #38657 for the 4.7 branch. Built from https://develop.svn.wordpress.org/branches/4.7@39368
This should be a way higher priority to fix. yarn has shown that people need lockfiles, and npm's lockfile system (shrinkwrap) is obviously broken |
FWIW, yarn has also had issues with optional dependencies:
For my part, I have had good luck with |
Per the release of npm v5: http://blog.npmjs.org/post/161081169345/v500
Does npm v5 fix this optionalDependencies issues, it sounds like it to me 🤔 |
Arghhhh... I just created a I immediately thought of this issue which I thought was resolved as part of npm 5 (per my own above comment FWIW), turns out it's not. Once I manually removed Here's the PR where this occurred: stylelint/stylelint#2670 I'm going to close that PR and add |
So package-lock.json/shrinkwrap is a dead concept? |
fsevents is macOS only, and npm-shrinkwrap tries to force it onto other architectures, causing build failures. Upstream: npm/npm#2679. fixes #38657 for the 4.7 branch. Built from https://develop.svn.wordpress.org/branches/4.7@39368
fsevents is macOS only, and npm-shrinkwrap tries to force it onto other architectures, causing build failures. Upstream: npm/npm#2679. fixes #38657 for the 4.7 branch. Built from https://develop.svn.wordpress.org/branches/4.7@39368 git-svn-id: http://core.svn.wordpress.org/branches/4.7@39308 1a063a9b-81f0-0310-95a4-ce76da25c4cd
We have to shrinkwrap, since some of our dependencies are loose, and that's no good for production. Still, some of the dependencies are optional, depending on the OS.
If we include a shrinkwrap file, then npm doesn't even try to install optional dependencies. And if we shrinkwrap after the optional has been installed, it's no longer optional.
The text was updated successfully, but these errors were encountered: