metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Miklavcic <michael.miklav...@gmail.com>
Subject Re: package.lock changes during build?
Date Sat, 25 Aug 2018 20:00:25 GMT
You sir, are a gentleman and a scholar! Thanks for the background info, the
current state of affairs, the controversy, and finally (most of all) the
fix.

On Sat, Aug 25, 2018, 12:52 PM Shane Ardell <shane.m.ardell@gmail.com>
wrote:

> NPM's use of lock files has been quite controversial. I won't go into it
> too deep here as there are endless posts criticizing and justifying their
> approach, but `npm install` will install all modules listed as dependencies
> in package.json and update package-lock.json accordingly instead of
> referencing the lock file. This caused a lot of outrage in the community (I
> would argue rightfully so), which led to a compromise in release 5.7.1 with
> `npm ci`. This command installs exactly what is specified in the
> package-lock.json.
>
> https://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable
>
> Metron's build currently uses `npm install`, which is why we are seeing the
> package-lock.json update whenever we build locally. Coincidentally, I just
> addressed this by switching to `npm ci` in an open PR of mine because I
> noticed the same happening locally and I was already updating npm commands
> in the pom.xml.
>
> https://github.com/apache/metron/pull/1096/files#diff-e8f55f2d9e4f18085052a36d750e9648L60
>
>
>
> On Sat, Aug 25, 2018 at 7:13 PM Casey Stella <cestella@gmail.com> wrote:
>
> > Yeah, that's what I thought too, but I wonder if it triggers a change if
> > there's a dependency that is not version locked (i.e. the most recent
> > version of dependency x moved from y to z).
> >
> > On Sat, Aug 25, 2018 at 11:52 AM Michael Miklavcic <
> > michael.miklavcic@gmail.com> wrote:
> >
> > > Somewhere along the line the dependencies appear to have changed, but
> the
> > > file never got checked in. I don't like that this part of our build
> also
> > > seems to be non-deterministic. If I build metron 0.4.x today, for
> > instance,
> > > what will I get? If the answer is "who knows?" that's unacceptable,
> imo.
> > > I've glanced at the package file and see carrots littering the
> > > dependencies, which as I understand it means "get me anything later
> than
> > > this version." I do not think we should be doing that.
> > >
> > >
> > > On Sat, Aug 25, 2018, 9:14 AM Casey Stella <cestella@gmail.com> wrote:
> > >
> > > > I have looked into this for other reasons and the guidance that I've
> > seen
> > > > is to check in package-lock.json into source control.  I'll leave
> this
> > > > stack overflow thread here:
> > > >
> > > >
> > >
> >
> https://stackoverflow.com/questions/44206782/do-i-commit-the-package-lock-json-file-created-by-npm-5
> > > >
> > > > I want to point out that I hate that this changes as part of the
> build.
> > > I
> > > > haven't gotten a complete handle on exactly why package-lock is
> > changing
> > > > seemingly non-deterministically yet.
> > > >
> > > > Casey
> > > >
> > > > On Sat, Aug 25, 2018 at 11:05 AM Nick Allen <nick@nickallen.org>
> > wrote:
> > > >
> > > > > Yes, I have noticed that also, but have not looked deeper.
> > > > >
> > > > > On Sat, Aug 25, 2018 at 10:32 AM Otto Fowler <
> > ottobackwards@gmail.com>
> > > > > wrote:
> > > > >
> > > > > > I just did a PR, can saw that the package.lock file for alerts-ui
> > was
> > > > > > changed, with updated versions.
> > > > > > I did *not* change the file, nor anything in metron-interface.
> That
> > > > seems
> > > > > > to imply that this file is changed or updated by
> > > > > > something that happens during building or deploying full dev.
> > > > > >
> > > > > > Is this true?  How does this work?  Is this on purpose?
> > > > > >
> > > > > > ottO
> > > > > >
> > > > >
> > > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message