-
-
Notifications
You must be signed in to change notification settings - Fork 495
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Commit lockfile for consistent CI and installs #3100
Conversation
What are the drawbacks to checking in the lockfile?
Others? |
Can you elaborate?
Sure, but that's easily resolved and doesn't outweigh the benefits of consistent package versioning in different environments. |
That seems like a fair summary. I’d like to emphasize for clarity that all changes to dependencies must be explicit, whether minor or major, upgrade or downgrade, etc. I agree with uncenter that conflicts in lockfiles are generally trivial to resolve, especially outside a monorepo, but that’s certainly a non-zero cost that should be considered. (As for the more general question, I’m entirely on the side of committing it.) |
My primary concern is (unless I’m mistaken) that checking in a lockfile makes Eleventy the bottleneck when dependencies issue updates (especially for security reasons). Numerous times over the years we’ve had deps issue updates and they are subsequently automatically picked up via minor releases without any action on my part. This is a huge benefit. |
#3293 (comment) is one such recent issue |
I agree that that’s an advantage, but conversely, apart from introducing non-determinism, it adds a new vector for security issues in the form of malicious updates from the developers of those dependencies. That may not be a major concern, of course, since malicious developers are exceedingly unlikely compared to security issues that are fixed by later releases. |
After a bit more research I learned that I am misinformed about one small but important point: the package-lock.json file is never part of the published package code so “Minor updates in dependencies must be opted into at the application level” is not accurate. More accurately, minor updates in dependencies would need to be opted into in this repo only, which makes a lot more sense now that we have dependabot enabled here. So, let’s roll with this for a bit and see how annoying it is 😅 |
Shipping with 3.0.0-beta.2 and 3.0.0-alpha.19 |
Yay for dependency hygiene. The next step is to also pin (at least dev) dependencies, and then upgrade those pinned dependencies regularly on purpose (instead of by accident). https://docs.renovatebot.com/dependency-pinning/#pinning-dependencies-and-lock-files |
Big fan of Renovate myself! GitHub's Dependabot is the other option, though I found it cumbersome at times. |
Lockfiles exist to guarantee consistency across installs, especially in CI tests! This is a fresh lockfile from a fresh clone and install, and all tests are passing.