Use fixed dependency versions#479
Conversation
porcelli
left a comment
porcelli
left a comment
There was a problem hiding this comment.
@baldimir unfortunately this won't help. doing my own digging on this problem (and I'm learning as we face those issues), the version pin or even the overrides won't make any difference.
The reason is that this is not consumed as a "library" inside a package.json, this is used as npm install -g in Apache repo. which will workaround all the version pinning and even the override.
The only viable solutions are: add a shrinkwrap or pnpm-lock files.
|
i think package-lock.json is enough to lock versions if you don't use version ranges, the only problem is if people pulls their own compatible dep versions. So for publishing we can add npm-shrinkwrap.json to enforce that for end users the set of deps we have tested and locked down. Anyway this is just guarding someone who uses and doesn't know or try to override it on purpose. IMHO no big difference for this as @baldimir removed version minimal declarations. |
|
Agree with @mareknovotny. Yes, people can override versions when they use build-chain, but for build-chain itself, there is no range defined anymore. Based on e.g. this (1), if that is correct, there is written: "using a package-lock.json to record exactly which versions of dependencies you installed, but allowing people installing your package to use any version of the dependencies that is compatible with the version ranges dictated by your package.json" There is no version range anymore. I removed all occurences of "^". @porcelli I guess I may be missing some part of the problem as I am not so experienced with npm. Could you please describe more the problematic use case without shrinkwrap? Or is version defined in npm as only a version still a version range? What is the range then, please? E.g. if I define version as "1.13.5", is that still a range? |
|
Reverted simple-git just to see if it helps with the tests. Will do updates afterwards when I see the results. It is possible that also act-js and some other kiegroup libraries need to be updated too. |
|
|
Doing further testing, starting from clean main, in PR: #482 |
|
Closing this - replaced by #482 |
4 participants
Jira: kiegroup/build-chain-configuration-reader#113
Related PR: kiegroup/build-chain-configuration-reader#113
This PR is built on top of #478
This is a Draft. When there is a new version of build-chain-configuration-reader, I will update the version in this PR and push changes along with the lock file update. Currently, this PR contains the current version of the configuration reader - 3.1.5.