ApplicationInsights-JS
ApplicationInsights-JS copied to clipboard
microsoft
Pin nevware21 dependency versions
Topic
ApplicationInsights-JS is using a version range when including dependencies by @nevware21 (and others), for example
"@nevware21/ts-utils": ">= 0.9.5 < 2.x",
"@nevware21/ts-async": ">= 0.2.4 < 2.x"
So when for example, @nevware21/ts-async introduces a new release within the version range, which has a regression, users of ApplicationInsights-JS will be affected by this regression immediatly, even without an ApplicationInsights-JS release.
This just happened. For details, see https://github.com/nevware21/ts-async/issues/65
Feature request
Please pin @nevware21 dependencies
We have the same problem.
If anybody needs quick fix until proper fix is deployed, just put this to your package.json file:
"overrides": {
"@microsoft/applicationinsights-web": {
"@nevware21/ts-utils": "0.9.5",
"@nevware21/ts-async": "0.2.4"
}
}
Sorry all, I work really hard to avoid regressions so the range (should) not normally cause an issue (at least until v2 when I'll likely drop ES5 support).
The release PR (for ts-async) is currently building and once committed should be available within the hour. Fix PR: https://github.com/nevware21/ts-async/issues/65 Release PR: https://github.com/nevware21/ts-async/pull/67
Can't even npm install my project that has a @microsoft/[email protected] dependency at the moment.
npm ERR! code E404
npm ERR! 404 Not Found - GET https://registry.npmjs.org/@nevware21%2ftools-pre-proc - Not found
npm ERR! 404
npm ERR! 404 '@nevware21/[email protected]' is not in this registry.
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url
Pretty severe bug!
Yes, understood.
I'm wasn't quite ready to release the pre-proc project publically as a package just yet which is why this issue occurred. And I normally do a sanity check of my consuming packages after publishing new releases. However, the main project where I'm using ts-async is currently in pieces (not build) - so I didn't try -- I should have as this issue would have been picked up during install...
Sorry, for introducing the issue. I'll work on getting some additional safeguards put in place so that we don't cause this type of issue again.
Pinning is both good and bad,
Good: Avoids issues like this Bad: If any dependency project has any security issues that they fix with a new release we would need to also release a new version... It also causes multiple versions getting included into bundles when upstream consumers want to use a different version (which we do have internally for some dependencies)
As this is already addressed, I'll keep this for now as is. But I'll also keep this open so that we can consider pinning should this occur again (for this or any other dependency).
Sorry, for introducing the issue. I'll work on getting some additional safeguards put in place so that we don't cause this type of issue again.
No worries, this can happen.