javascript
javascript copied to clipboard
Sync package-lock.json to all tracks
Currently we sync root package.json to all exercise directories. Files in exercise directory are served to our users.
Should we also sync package-lock.json
to make sure users get exactly the version we intend?
If we decide to sync, we also need to check its integrity.
I don't think we should force npm
over yarn
and I think that npm
is way too talkative when it comes to dependencies of dependencies. It also means that we will have to upgrade all exercises way more often (for every patch-level change), which leads to a lot of exercises being denoted as "outdated" even though the content doesn't change at all.
That said, if we want consistent workspaces, it's well worth the effort? What do you think?
Also: this code doesn't run on the web, not on the internet. Apart from a bad actor (read: pushing a patch level security breach) that would upload shit on postinstall, most of these security issues don't apply to us, at all.
- Detection of "outdated" exercises should be smarter and should not stop the housekeeping.
- Exercise instructions use npm.
- If you are here to educate people - you should not provide a bad example of ignoring warnings.
I don't think we should force
npm
overyarn
yarn
would still work with package.json
so I would call it recommending
rather than forcing.
It also means that we will have to upgrade all exercises way more often (for every patch-level change), which leads to a lot of exercises being denoted as "outdated" even though the content doesn't change at all.
I am not much keen on the security audit fixes. We can safely ignore those since this is not a critical project.
if we want consistent workspaces, it's well worth the effort? What do you think?
I don't have a strong opinion on this. We can leave this issue open & tackle this as and when someone finds time. Right now versioning & bringing all exercises in sync (https://github.com/exercism/javascript/issues/628) is of more priority for me since lot of exercise have gone out of sync with canonical data.
yarn
would still work withpackage.json
so I would call it recommending rather than forcing.
yes, but it leads to "2 lock files" for those users, with inconsistent behaviour, meaning support will be more difficult for us.
I am not much keen on the security audit fixes. We can safely ignore those since this is not a critical project.
Exactly my thinking 💯
Right now versioning & bringing all exercises in sync (#628) is of more priority for me since lot of exercise have gone out of sync with canonical data.
💯 agreed