parse-server icon indicating copy to clipboard operation
parse-server copied to clipboard
verified publisher icon parse-community

Regenerate package-lock

Open mtrezza opened this issue 4 years ago • 8 comments

New Feature / Enhancement Checklist

Current Limitation

It is currently undefined if and when package-lock.json should be completely regenerated.

The current approach seems to allow (partial) updates when:

  • snyk updates
  • a PR requires un-/install of a dependency

The limitations of that seem to be:

  • snyk only updates for security vulnerabilities
  • a PR requiring un-/install of a dependency comes along at irregular points in time and - if I'm not mistaken - does not regenerate the whole file.

The effect seem to be that sub-dependencies of packages that use range operators do not get updated. This is especially true for packages with low release frequency.

From a package deployment perspective, package-lock.json should be touched with care as it ensures a consistent dependency tree across deployments. However, from a package development perspective, regularly rebuilding package-lock.json seems a necessity due to the common use of range operators in dependencies.

Suggestion

Regularly completely regenerate package-lock.json in a dedicated PR. Possibly automated.

mtrezza avatar Jun 05 '21 09:06 mtrezza

@dplewis @davimacedo What's your take on this?

mtrezza avatar Jun 30 '21 08:06 mtrezza

We use to manually update it every time we create a new release. Maybe we could add this step to the ci process. Updating it at each release would be probably enough, right?

davimacedo avatar Jun 30 '21 16:06 davimacedo

Yes, I think so. Adding to the CI is a good idea.

mtrezza avatar Jun 30 '21 22:06 mtrezza

should be closed @mtrezza ?

Moumouls avatar Oct 24 '24 06:10 Moumouls

Thanks for opening this issue!

  • 🎉 We are excited about your ideas for improvement!

parse-github-assistant[bot] avatar Oct 24 '24 06:10 parse-github-assistant[bot]

I'm not sure. It's an open topic. If we regenerate package-lock we'll miss security upgrades of sub-dependencies that snyk and dependabot did over time. If we don't regenerate package-lock, there will probably be other outdated sub-dependencies.

mtrezza avatar Oct 24 '24 10:10 mtrezza

oh i see, may be a monthly CI with automated PR to try a package lock regen @mtrezza

Moumouls avatar Oct 24 '24 14:10 Moumouls

Maybe, but not sure how many snyk PRs that will reset and snyk will re-open again if we do that monthly. Maybe quarterly? I guess we'd have to try out.

mtrezza avatar Oct 24 '24 17:10 mtrezza