-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add proposal for new CLI command: yarn upgrade-transitive
#54
base: master
Are you sure you want to change the base?
Conversation
I love the idea to have control over what dependencies Yarn installs transitively. What do you think of a separate command for this feature?
Then it would allow a fine control if you want to patch (or roll back) a deep dependency or many of them |
@bestander That sounds exactly like the level of control I keep finding myself wishing for. Would love to see something like that ❤️ |
Should the * work like globs tho, where ** and * are different? |
Yeah, you are right, Jordan
…On 23 March 2017 at 17:40, Jordan Harband ***@***.***> wrote:
Should the * work like globs tho, where ** and * are different?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#54 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ACBdWK1ekrKuQUFS_fBCclO-h_fCSLWBks5roq6PgaJpZM4MiAlG>
.
|
Separate command sounds entirely reasonable to me. I'll revise the RFC :) |
What would probably also be useful would be a |
Nice! A command like My previous yarn issue: yarnpkg/yarn#2558 |
Ping, does anyone want to send a PR? |
@bestander I've updated the RFC. Still working on a code implementation (which will also help me answer some of the questions I still have regarding the implementation details in the RFC). Happy if anyone beats me to it, but I am working on it, apologies for the slowness! |
No worries, @magicmark! |
Correct me if I wrong, but the issue this RFC aims to solve is similar to Selective versions resolutions. If yes I would go with |
@sejoker Thank you for this info. Looks like it makes sense for the other RFC to contain most of the logic for this as it is more generalised. There could still be value in this RFC just becoming an interface for adding lines to the |
@magicmark I'm the author of the #68 RFC, don't hesitate to make comment there to clarify points that could be helpful to make it coherent with your RFC! Also, I saw the bit about vocabulary, if you think using "transitive dependency" is clearer than "nested dependency", please comment about it there, we could improve the language thus :) |
As a non native english speaker I put my vote on nested dependency |
@bestander sounds good to me. I've given my feedback in #68, I'll await @victornoel:
If this is included in #68, we can drop this? |
@magicmark, we might want to discuss more how upgrade-interactive would work modifying the resolutions described in #68. |
@magicmark sorry for stalling on reviewing this RFC. It seems like your RFC covers and intends to solve another case that neither of those do. We have a structure of packages
And let's say they got locked in yarn.lock as
After some time all 3 got new versions, e.g.
Removing B and C sections from the lockfile manually seems like the easiest solution to bump them. Is it worth having a command for this?
|
As long as I think my ideal would be something that captures the behavior you describe for |
I'm not sure this would be possible, because the lockfile isn't a tree. Let's say two dependencies ( |
@arcanis I think that would be an acceptable trade-off. I imagine this command would only be run very rarely, and only when the dev really knows they want to update the deps - it's an advanced level command. So it's ok to make tradeoffs like that. It'd probably be a good idea to get confirmation first:
|
I am not sure just having a command-line flag here would be enough. I've been getting a lot of bug reports on one of my libraries where a dependency of the library was, at some point, broken. A fixed version has been released a long time ago, but people are still stuck on the old version because yarn will keep the old version of the transitive dependency in the package lock around... forever, it seems, unless you do something non-obvious like removing the library and re-installing it. I think even when we have the proposed command-line option (if this rfc picks up stream again at some point) the fact that users have to find out about it and use it to upgrade is a liability. Is there a good reason not to do this by default when running |
text/0000-yarn-update-transitive.md
Outdated
|
||
# Summary | ||
|
||
This RFC proposes the addition of a "update-transitive" command to the Yarn CLI. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it should be upgrade-transitive
to match upgrade
and upgrade-interactive
, otherwise it looks like it goes with yarn self-update
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, this makes sense, thanks! I've updated this in the proposal.
yarn upgrade-transitive
So quite a lot has changed since the initial draft of this RFC - namely the introduction of the new Selective dependency resolutions API. I think it makes sense to use this existing API to solve the problems of force upgrading a transitive dep past its usual semver range. A new CLI command/flag wrapping this might still be a nice DUX thing. Ideally it would also bump an in-range version of a transitive dep without adding an override. This would unify the workflow for both scenarios under one command. I'll let this marinate for a few days to get some feedback on this, and I'll do some investigation into some implementation details here. |
Vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2018-3728 `rm yarn.lock` `yarn install` There is currently no way to update single transitive dependencies see: yarnpkg/rfcs#54
Vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2018-3728 `rm yarn.lock` `yarn install` There is currently no way to update single transitive dependencies see: yarnpkg/rfcs#54
@bestander Updated the RFC and trimmed it down a bit. I think it's in a good place to be reviewed again. (tl;dr this is mostly now a dumb wrapper around the Thanks everyone who has looked over this so far! (And thanks to @kaylieEB @victornoel for the work on the resolutions field that this will use 😃 ) |
I don't quite see how this is the same as the resolutions in the package.json. We find ourselves in this scenario quite often and it is frankly rather annoying: We have multiple dependencies with the same dependency, for example:
Now we sometimes end up with two versions of shared-dep (e.g. 2.0.0 and 2.0.3) in our yarn.lock file - and there is no way to get rid of this, as running e.g. This feels really weird, since all of these can easily be satisfied by the same version (e.g. 2.0.4), and it does not feel clear to me at all why running IMHO, requiring to manually delete entries from the yarn.lock file is not really a solution for that. Also, I don't see how requiring us to add a manual resolution to the package.json is an adequate solution for that - since we'll need to then update this resolution for each further update of the dependency, which adds a lot of noise. We would love to have any one of these options:
|
Maybe relevant: |
@mydea I'm not sure what you describe is really related to the issue here, but I'm seeing it as well and it is indeed fairly annoying. I've been using yarn-tools (through npx) to fix this "semi-manually" |
I'm still scoping the possible implementation of this. This is early stage, but I would appreciate any early feedback on this concept!
(yarnpkg/yarn#2543)