Idea: support package-lock.json from npm 5 #3614
Comments
kof
changed the title
|
I expect this will change in the future, but... What is the current best practice for handling both package-lock.json and yarn.lock? These are the options I'm seeing...
|
|
I would opt for option 1 or 4.. keeping multiple files for the same in sync is tedious and error prone. So our projects use either a package-lock.json or an yarn.lock file, the first option. |
|
At work, we are currently in the following weird situation:
The following approaches would work for us: |
|
In the general packager case Yarn could potentially be used for Packagist (there's a prototype floating around), and perhaps even CocoaPods, in addition to NPM. A PHP project, for example, might have a |
|
If yarn starts managing other types of dependencies, it is still always expected to generate the exact same dependency versions as any other managers of the same dependencies. ( So I would have thought it should always follow the prevailing standard for the type of dependency. I.e., for PHP dependencies it should use |
|
The way I see it Composer is to Pear as Yarn is to NPM. Difference being NPM uses NPM where Composer uses Packagist. If Yarn were to maintain its own standards we could prevent gridlock and tooling complexity which could hamstring Yarn and inhibit forward momentum in other packagers. Is it naïve to think 80% case could boil down to one packager, with additional packagers to add value for 20% and ancillary use cases? It seems such an approach might serve the majority while limiting complexity, allowing innovation on the fringes which could then be generalized and pulled into Yarn as the value proposition becomes clear longer-term. It has always seemed to me this is what NPM itself is doing right now. I could be wrong. |
|
Yes I agree, Yarn wants to maintain its independent space as far as possible, so it has the flexibility to provide a better experience. Which is why, for example, Yarn's CLI is deliberately not compatible with NPM's. However, I think lock files are outside of the space where Yarn can reasonably maintain independence. When NPM wasn't offering the ability to lock dependencies, it made sense for Yarn to create its own For Yarn to be a useful tool, it has to allow developers to follow standard models in their projects, so the project can remain tool-agnostic. Which, after all, is why Yarn was built on top of |
Mingo introduced a breaking change in v1.3.0 (removing the Mingo.setup method). This causes failures when installing save via mongo when no yarn.lock is present. This project uses the new npm 5 package-lock.json, this is not supported by yarn and so mingo gets silently upgraded from 1.1.2 to 1.3.0. It is likely that this project will need to upgrade to the mingo 1.3.0 API, but in the meantime this commit will ensure that 1.1.2 gets installed when using yarn. yarnpkg/yarn#3614
|
mark |
|
Stack Overflow thread discussing one of the problems resulting from having 2 flavors of lock files: https://stackoverflow.com/questions/44552348/should-i-commit-yarn-lock-and-package-lock-json-files |
|
Been doing some reading around this today, stumbled across this in the npm docs.
https://docs.npmjs.com/files/package-lock.json Maybe this is common knowledge, but I certainly thought npm would use the lock file in dependencies. I thought that might be interesting to other people that land on this issue, since I was mostly concerned about people installing my packages with npm 5 because we're not using a package lock (we use Yarn instead). From reading some documentation on Renovate, it seems to make sense that it doesn't use the package lock in dependencies to avoid bloating node_modules and issues with installing two separate versions of packages.
|
@ryansmith94 this behaviour in
|
|
Thanks @nottrobin, that's good to know 😄 |
|
Can someone of yarns core contributors comment on this issue? I would be very interested to hear their opinion. ✌️ |
|
@nicojs I mentioned it on Discord before I replied here, if I remember correctly, they hadn't had time to properly look into it, but did want to get to it. I'm assuming I was talking to a core contributor in the support channel. |
|
From Irish's comment above
So who has a tool they can share? |
|
Now is 2018. This issue is very important in setting consistent version. Core team need investigation in this topic. More duplicated issue will be added and more problems it create than resolve.
NPM won't remove their lock file. Yarn can (pleas don't) do the sam and state will be preserved as is (two lock file) - This issue pleas then set to "wontfix" and add documentation about decision. |
So far this is best solution that works for me. I tried using package-lock file, but unless npm/npm#17722 is resolved I don't see how npm lock file can be considered even barely usable in any large team. So it makes sense for yarn to consider package-lock.json file and update it when changes to real lock file is made, but I don't see |
|
On our CI we simply use: if [ -e 'yarn.lock' ]; then
yarn install
elif [ -e 'package-lock.json' ]; then
npm install
fi |
|
This has to be one of the most popular issues ever to be (apparently) completely ignored by the project maintainers - getting on for a year now. For me this is quite a significant blemish on Yarn's otherwise pretty good reputation. |
|
For those using both npm and yarn together in the same project, how are you maintaining the CLI differences in your scripts? Using multiple package managers in the same project sounds like using multiple version control systems in the same project, or multiple task runners for the same tasks. They do different things in the same use case which is bound to cause undocumented conflicts. yarn and npm may look very similar in terms of features, but they are very different in implementation. Yes, npm is default right now in NodeJS, but that's a known trade-off when picking any alternative package manager. I think the competition is a good thing; as proven with npm's numerous yarn-inspired features after a long period of stagnation. At most, if this hasn't been done already, I think yarn should detect other lock files in a project, warn about them when trying to run a command and provide a useful suggestion. |
|
Hey @jahed - we're actually in the process of implementing the very same. Warning when another lockfile is found and giving the ability to import from it. Here's a PR of mine doing the latter as a first step: I'm hoping we'll be able to merge it soon. You can follow more here if you like: |
|
Merging into #5654. |
Having both `yarn.lock` and `package-lock.json` (i.e. using both Yarn and NPM) could [easily](yarnpkg/yarn#5654) [be](yarnpkg/yarn#3614) [problematic](https://stackoverflow.com/questions/44552348/should-i-commit-yarn-lock-and-package-lock-json-files). In short, it creates a risk of out-of-sync where one author installs with NPM and forgot to update yarn.lock so another author, when using yarn, won't have that dependency. In this PR I propose to drop the use of yarn in favor of NPM since a search in the codebase yields more NPM usages (especially in the doc and in package.json) than Yarn (only in Docker file to install). If others have strong reasons for using Yarn over NPM then feel free to yield them. I don't have strong personal reason for one over another :D
and others
I think we will face the issue in the near future that we get 2 lock files in one project, especially because npm creates it by default. Is there any chance that yarn could use the package-lock.json from npm by default if it is detected?
It would be especially useful for libraries when maintainer uses package-lock, others can still use yarn when installing it.
The text was updated successfully, but these errors were encountered: