autorest icon indicating copy to clipboard operation
autorest copied to clipboard

Published 20 hours ago verified publisher icon Azure

Extensions and pinned dependencies

Open mikeharder opened this issue 2 years ago • 2 comments

Extension @autorest.testmodeler was recently broken by an update to a transitive dependency (https://github.com/Azure/azure-sdk-tools/issues/5183).

The @autorest.testmodeler package includes an npm-shrinkwrap.json file, in an attempt to pin it's dependencies. However, autorest uses yarn instead of npm to install extensions, and yarn ignores npm-shrinkwrap.json inside packages.

Is there an alternative solution for autorest extensions to pin their dependencies (including transitive)? Note that even if an extension package pins all their direct dependencies in their package.json, this doesn't help with unpinned transitive dependencies.

If not, should autorest switch from using yarn to npm, so extension packages can successfully use npm-shrinkwrap.json?

If extensions have no way to pin dependencies, they will always be at risk of failing when updated dependencies are published.

mikeharder avatar Jan 24 '23 02:01 mikeharder

Did we end up on the bundling the source as a solution or this is still on the table?

timotheeguerin avatar Mar 20 '23 16:03 timotheeguerin

@autorest/testmodeler is bunding dependencies for now, however I still think using npm and npm-shrinkwrap.json would be better than using the non-standard yarn to install extensions.

mikeharder avatar Mar 20 '23 17:03 mikeharder

Closing unless we get more feedback this is needed

mikeharder avatar Apr 01 '24 22:04 mikeharder