Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sync package-lock.json to all tracks #703

Closed
tejasbubane opened this issue Jul 30, 2019 · 5 comments
Closed

Sync package-lock.json to all tracks #703

tejasbubane opened this issue Jul 30, 2019 · 5 comments
Labels
discussion 💬

Comments

@tejasbubane
Copy link
Member

Currently we sync root package.json to all exercise directories. Files in exercise directory are served to our users.

Should we also sync package-lock.json to make sure users get exactly the version we intend?

If we decide to sync, we also need to check its integrity.
@tejasbubane tejasbubane mentioned this issue Jul 30, 2019
Closed
@SleeplessByte
Copy link
Member

I don't think we should force npm over yarn and I think that npm is way too talkative when it comes to dependencies of dependencies. It also means that we will have to upgrade all exercises way more often (for every patch-level change), which leads to a lot of exercises being denoted as "outdated" even though the content doesn't change at all.

That said, if we want consistent workspaces, it's well worth the effort? What do you think?

@SleeplessByte
Copy link
Member

Also: this code doesn't run on the web, not on the internet. Apart from a bad actor (read: pushing a patch level security breach) that would upload shit on postinstall, most of these security issues don't apply to us, at all.

@KillyMXI
Copy link

KillyMXI commented Jul 30, 2019
edited
Loading

  1. Detection of "outdated" exercises should be smarter and should not stop the housekeeping.
  2. Exercise instructions use npm.
  3. If you are here to educate people - you should not provide a bad example of ignoring warnings.

@tejasbubane
Copy link
Member Author

I don't think we should force npm over yarn

yarn would still work with package.json so I would call it recommending rather than forcing.

It also means that we will have to upgrade all exercises way more often (for every patch-level change), which leads to a lot of exercises being denoted as "outdated" even though the content doesn't change at all.

I am not much keen on the security audit fixes. We can safely ignore those since this is not a critical project.

if we want consistent workspaces, it's well worth the effort? What do you think?

I don't have a strong opinion on this. We can leave this issue open & tackle this as and when someone finds time. Right now versioning & bringing all exercises in sync (#628) is of more priority for me since lot of exercise have gone out of sync with canonical data.

@SleeplessByte
Copy link
Member

yarn would still work with package.json so I would call it recommending rather than forcing.

yes, but it leads to "2 lock files" for those users, with inconsistent behaviour, meaning support will be more difficult for us.

I am not much keen on the security audit fixes. We can safely ignore those since this is not a critical project.

Exactly my thinking 💯

Right now versioning & bringing all exercises in sync (#628) is of more priority for me since lot of exercise have gone out of sync with canonical data.

💯 agreed

@tejasbubane tejasbubane mentioned this issue Aug 27, 2019
Merged
@SleeplessByte SleeplessByte mentioned this issue Aug 28, 2019
Closed
@junedev junedev mentioned this issue Sep 4, 2021
Closed
@junedev junedev mentioned this issue Oct 12, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discussion 💬
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tejasbubane @SleeplessByte @KillyMXI