cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon forcedotcom

Locking dependencies with npm shrinkwrap

Open cristiand391 opened this issue 3 years ago • 2 comments

Starting in version 7.165.0 of sfdx, installing via npm produces the exact dependency tree that was used when we created the release.

Why are we making this change?

For installations of sfdx <= 7.164.2, npm installed newer versions of the CLI's dependencies, which sometimes resulted in errors because we hadn't tested those exact combinations. Starting in version 7.165.0, we lock down the CLI dependencies with a shrinkwrap lockfile. As a result, users installing sfdx from npm now get immutable builds.

See npm-shrinkwrap for details.

The sf executable of Salesforce CLI has been including a shrinkwrap lockfile since v1.10.0.

Frequently Asked Questions

This FAQ applies to both executables of Salesforce CLI (sf and sfdx).

Do I need to take some action as a result of this change?

No. Install and update sfdx the same way as always.

Does this change affect the macOS/Windows installers and TAR files?

No. The shrinkwrap lockfile is included only in the package released to the npm registry. The OS-specific installers and TAR files bundle dependencies at release time and don't use this lockfile.

I'm seeing devDependencies being installed in the npm global folder, why is that?

This is probably due to an open (as of Aug 18, 2022) bug in npm. Installing these devDependencies shouldn't affect the functionality of the CLI itself. But it can make npm take a longer time to finish the installation, because it fetches unused dependencies. It also increases the install size and can cause security scanners to report as vulnerable packages that aren't used by sfdx when distributed.

As of today, if you use npm >= v8, you should not get devDependencies when installing sfdx with the npm install --global sfdx-cli command. If you see this happening, open a new issue.

There's no known workaround for npm v6 (bundled in the current Node v14, Maintenance LTS) to avoid installing these unused devDependencies other than moving to npm v8. Either update your CI pipelines to use Node v16, which includes npm v8, or update npm before installing sfdx by running npm install --global npm@latest.

Note that the EOL of Node v14 is 2023-04-30. We will no longer support v14 after that date. See the Node.js release schedule for more information.

cristiand391 avatar Aug 18 '22 18:08 cristiand391

Finally.. great news. This will reduce a lot of issues

azlam-abdulsalam avatar Aug 18 '22 21:08 azlam-abdulsalam

FINALLY

now that npm bug makes me continue to distrust npm based installs but that is no longer a Salesforce issue.

yippie avatar Aug 31 '22 13:08 yippie