patch-package icon indicating copy to clipboard operation
patch-package copied to clipboard

Published 20 hours ago verified publisher icon ds300

update README stating this is technique is not safe for publishing

Open davidmurdoch opened this issue 4 years ago • 3 comments

Per https://github.com/ds300/patch-package/issues/84, it is not safe to publish npm packages with patched dependencies. This notice should be prominent in patch-package documentation.

Note: I don't expect this PR to be merged as it, but rather start a conversation about how to more clearly communicate the use cases for patch-package.

davidmurdoch avatar Oct 07 '20 15:10 davidmurdoch

Just wanted to bump this as I didn't catch that this was not supported until I found this thread.

danlevy1 avatar Aug 20 '21 18:08 danlevy1

As mentioned by @papb (https://github.com/ds300/patch-package/pull/270#discussion_r511163692), one way to solve the problem when patching the dependencies of a package that you intend to publish is to use bundledDependencies to make sure it's used and also use npm's prepare  script hook rather than postinstall. If you are patching an indirect dependency, you need to bundle the whole dependency chain up to the patched package otherwise the intermediate dependencies may be installed "higher" in the host project's node_modules and end up using an unpatched version of the dependency.

I recommend against making patch-package a production dependency and running it via postinstall in a package you publish, because it introduces the risk that the patching fails due to a different deduped version of the dependency that prevents your patch from applying cleanly. For instance, if your patch applies to [email protected] but [email protected] or higher gets installed in the project, your patch might not apply cleanly and causes installation errors. (Friction for users of your package.) Not to mention that even if it applies cleanly, the patch may be useful to your package, but harmful to other consumers of the shared dependency.

mbargiel avatar Jan 30 '23 18:01 mbargiel

How is this still not included in the README?

It's a very severe limitation! I certainly wish I had known before using this... for it to not work at all in the end. Pardon me for being this straightforward, but I wasted precious time trying to make this work and searching for answers.

Please, for the sake of others who could be in my situation in the future: be explicit about this limitation in your README.

Thank you.

emmacharp avatar Dec 19 '23 20:12 emmacharp