relative-deps icon indicating copy to clipboard operation
relative-deps copied to clipboard

Published 20 hours ago verified publisher icon mweststrate

Verify transitive dependencies

Open mweststrate opened this issue 6 years ago • 4 comments

Currently, relative packages are not installed through yarn / npm, but simply extracted. While in general that works great, it might cause issues if there are differences between the transitive dependencies of the local package, and the published one. It would be great to detect and fix that.

mweststrate avatar Jun 23 '19 11:06 mweststrate

npm supports installing tarball, so we can run install here - https://github.com/mweststrate/relative-deps/blob/master/index.js#L150

rifler avatar Jul 15 '19 19:07 rifler

Yeah, biggest problem is that it makes the process very slow. So for development purposes it is not really suitable imho. But probably we could do something smart, like install from tarball only if package.json changed or something.

Op ma 15 jul. 2019 21:56 schreef Dmitrii Kanatnikov < [email protected]>:

npm supports installing tarball, so we can run install here - https://github.com/mweststrate/relative-deps/blob/master/index.js#L150

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mweststrate/relative-deps/issues/6?email_source=notifications&email_token=AAN4NBB3323BAEWCKXMM7VLP7TI5NA5CNFSM4H2YU4G2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZ6ZFRI#issuecomment-511546053, or mute the thread https://github.com/notifications/unsubscribe-auth/AAN4NBC2IO3ESC6NK7EUA53P7TI5NANCNFSM4H2YU4GQ .

mweststrate avatar Jul 15 '19 20:07 mweststrate

So for development purposes it is not really suitable imho

Most often yes, but what if package has deps that cannot be deduped?

node_modules
  lodash@3
  relative-dep
    node_modules
      lodash@2

I don't know how often does this happen. I suppose that for UI lib it is not good to have deps (better to have peerDeps and devDeps for tests), but for server lib it is quite normal situation. Maybe I am wrong

rifler avatar Jul 16 '19 09:07 rifler

I think this can be quite simply supported: on first install / changed package.json do a normal npm install of the tarball. On incremental installs, remove everything but the node_modules and update from the tarball.

On Tue, Jul 16, 2019 at 11:28 AM Dmitrii Kanatnikov < [email protected]> wrote:

So for development purposes it is not really suitable imho

Most often yes, but what if package has deps that cannot be deduped?

node_modules lodash@3 relative-dep node_modules lodash@2

I don't know how often does this happen. I suppose that for UI lib it is not good to have deps (better to have peerDeps and devDeps for tests), but for server lib it is quite normal situation. Maybe I am wrong

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mweststrate/relative-deps/issues/6?email_source=notifications&email_token=AAN4NBENRBL5YSROX3ABUH3P7WIEPA5CNFSM4H2YU4G2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2AIUAA#issuecomment-511740416, or mute the thread https://github.com/notifications/unsubscribe-auth/AAN4NBEPCNFJF525WOLLSI3P7WIEPANCNFSM4H2YU4GQ .

mweststrate avatar Jul 18 '19 10:07 mweststrate