javascript icon indicating copy to clipboard operation
javascript copied to clipboard

Published 20 hours ago verified publisher icon exercism

Sync package-lock.json to all tracks

Open tejasbubane opened this issue 4 years ago • 5 comments

Currently we sync root package.json to all exercise directories. Files in exercise directory are served to our users.

Should we also sync package-lock.json to make sure users get exactly the version we intend?

If we decide to sync, we also need to check its integrity.

tejasbubane avatar Jul 30 '19 12:07 tejasbubane

I don't think we should force npm over yarn and I think that npm is way too talkative when it comes to dependencies of dependencies. It also means that we will have to upgrade all exercises way more often (for every patch-level change), which leads to a lot of exercises being denoted as "outdated" even though the content doesn't change at all.

That said, if we want consistent workspaces, it's well worth the effort? What do you think?

SleeplessByte avatar Jul 30 '19 12:07 SleeplessByte

Also: this code doesn't run on the web, not on the internet. Apart from a bad actor (read: pushing a patch level security breach) that would upload shit on postinstall, most of these security issues don't apply to us, at all.

SleeplessByte avatar Jul 30 '19 12:07 SleeplessByte

  1. Detection of "outdated" exercises should be smarter and should not stop the housekeeping.
  2. Exercise instructions use npm.
  3. If you are here to educate people - you should not provide a bad example of ignoring warnings.

KillyMXI avatar Jul 30 '19 12:07 KillyMXI

I don't think we should force npm over yarn

yarn would still work with package.json so I would call it recommending rather than forcing.

It also means that we will have to upgrade all exercises way more often (for every patch-level change), which leads to a lot of exercises being denoted as "outdated" even though the content doesn't change at all.

I am not much keen on the security audit fixes. We can safely ignore those since this is not a critical project.

if we want consistent workspaces, it's well worth the effort? What do you think?

I don't have a strong opinion on this. We can leave this issue open & tackle this as and when someone finds time. Right now versioning & bringing all exercises in sync (https://github.com/exercism/javascript/issues/628) is of more priority for me since lot of exercise have gone out of sync with canonical data.

tejasbubane avatar Jul 30 '19 12:07 tejasbubane

yarn would still work with package.json so I would call it recommending rather than forcing.

yes, but it leads to "2 lock files" for those users, with inconsistent behaviour, meaning support will be more difficult for us.

I am not much keen on the security audit fixes. We can safely ignore those since this is not a critical project.

Exactly my thinking 💯

Right now versioning & bringing all exercises in sync (#628) is of more priority for me since lot of exercise have gone out of sync with canonical data.

💯 agreed

SleeplessByte avatar Jul 30 '19 12:07 SleeplessByte