-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent Yarn from rewriting the lockfile when switching between online ⇄ offline #51
Conversation
This is great! |
0000-offline-resolution-field.md
Outdated
|
||
Yarn currently has two different type of values for the lockfile `resolved` fields: | ||
|
||
- When online, they're in the form `${source}/${name}-${version}.tar.gz#${hash}` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also it can be a git URL e.g. ssh://[email protected]/bestander/test-repo.git, a link: or a file:.
0000-offline-resolution-field.md
Outdated
|
||
- **Rational: Why removing the source part of the resolved field?** | ||
|
||
The source is redundant, and misleading: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another advantage is that Yarn can start downloading the dependencies immediately skipping the resolution step.
Also there may be some caveats regarding proxies and private packages.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also there may be some caveats regarding proxies and private packages.
It might also causes issue on this regard even with the source; for example, a dev might use an internal IP as mirror, and a public URL on CI. Baking the source in the lockfile means that this cannot be done without postprocessing the lockfile (since the CI won't have access to this URL). Removing the source would help resolve this issue, since then the CI would use whatever registry it is configured to use rather than the ones specified in the lockfile.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree but it is a separate issue/feature
I wonder if getting rid of domain from URL and making yarn.lock not changed when using Offline Mirror are two different problems you are trying to tackle. |
A first iteration could uniformize the two processes by baking the source into both offline & online package resolutions. There might be a bit less code involved, but I'm not completely sure (because there wouldn't be any distinction between offline and online, we would have to check the offline cache anyway to see if a matching file exists). The only step that would be avoided would be to dynamically resolve the source against the package.json (because then we would just use whatever source is set in the lockfile instead). |
Can you give an example how yarn.lock will look? |
If we strip the source: (note that even the git repo is only resolved to its name + hash)
If we forcefully write the source even when offline:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think these are all good ideas that should be evaluated separately.
Let's also focus on speed and backwards compatibility.
0000-offline-resolution-field.md
Outdated
|
||
- **Rational: Why removing the source part of the resolved field?** | ||
|
||
The source is redundant, and misleading: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree but it is a separate issue/feature
0000-offline-resolution-field.md
Outdated
|
||
- If we change our registry URL, the package itself will not have changed. The lockfile should not be modified. | ||
|
||
- The source is already in the package.json file - we can use it when we need to, since we will have checked by then that the resolved version still match (when working with a registry). Worst case scenario (direct link) we will catch that the file will have changed when checking the hash - but that's not something we could have avoided with storing the source in the lockfile anyway. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The source at package.json is loose that is resolved to a fixed URL in package-resolver.
Yarn gains speed by caching and freezing resolution step in the lockfile
0000-offline-resolution-field.md
Outdated
|
||
- The source is already in the package.json file - we can use it when we need to, since we will have checked by then that the resolved version still match (when working with a registry). Worst case scenario (direct link) we will catch that the file will have changed when checking the hash - but that's not something we could have avoided with storing the source in the lockfile anyway. | ||
|
||
- (Optional) Splitting the resulting `resolved` field into two others: `hash` (the hash of the tarballs) and `tarball` (the tarball name). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That might be useful especially that we want to migrate to sha2/sha3
0000-offline-resolution-field.md
Outdated
|
||
- (Optional) Splitting the resulting `resolved` field into two others: `hash` (the hash of the tarballs) and `tarball` (the tarball name). | ||
|
||
- Adding the hash to the tarball name. This is to prevent issues where two projects are being worked on at the same time, both with the same dependency `foobar`, except that one of those projects is using the development branch of `foobar` (possibly fetching the project directly from git). In such a case, both projects lockfile would resolve to the same dependency name, the same dependency version (because maintainers don't usually bump version number until the release), but different hashes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice idea
I opened a PR for review (yarnpkg/yarn#2970) and updated the rfc (fortunately, there was more to remove than to add 😄). |
This looks good. |
Great job, one big source of inconsistent caches is about to go away! |
First draft cc @bestander