Skip to content

Regenerate package-lock #7417

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
3 tasks done
mtrezza opened this issue Jun 5, 2021 · 8 comments
Open
3 tasks done

Regenerate package-lock #7417

mtrezza opened this issue Jun 5, 2021 · 8 comments
Labels
type:meta Non-code issue

Comments

@mtrezza
Copy link
Member

mtrezza commented Jun 5, 2021
edited
Loading

New Feature / Enhancement Checklist

Current Limitation

It is currently undefined if and when package-lock.json should be completely regenerated.

The current approach seems to allow (partial) updates when:

  • snyk updates
  • a PR requires un-/install of a dependency

The limitations of that seem to be:

  • snyk only updates for security vulnerabilities
  • a PR requiring un-/install of a dependency comes along at irregular points in time and - if I'm not mistaken - does not regenerate the whole file.

The effect seem to be that sub-dependencies of packages that use range operators do not get updated. This is especially true for packages with low release frequency.

From a package deployment perspective, package-lock.json should be touched with care as it ensures a consistent dependency tree across deployments. However, from a package development perspective, regularly rebuilding package-lock.json seems a necessity due to the common use of range operators in dependencies.

Suggestion

Regularly completely regenerate package-lock.json in a dedicated PR. Possibly automated.
@mtrezza mtrezza added the type:meta Non-code issue label Jun 5, 2021
This was referenced Jun 5, 2021
Merged
Merged
@mtrezza
Copy link
Member Author

mtrezza commented Jun 30, 2021

@dplewis @davimacedo What's your take on this?

@davimacedo
Copy link
Member

We use to manually update it every time we create a new release. Maybe we could add this step to the ci process. Updating it at each release would be probably enough, right?

@mtrezza
Copy link
Member Author

mtrezza commented Jun 30, 2021
edited
Loading

Yes, I think so. Adding to the CI is a good idea.

@mtrezza mtrezza mentioned this issue Jul 27, 2021
Merged
@mtrezza mtrezza mentioned this issue Nov 19, 2021
Merged
@Moumouls
Copy link
Member

should be closed @mtrezza ?

@Moumouls Moumouls reopened this Oct 24, 2024
@parse-github-assistant Parse GitHub Assistant
Copy link

Thanks for opening this issue!

  • 🎉 We are excited about your ideas for improvement!

@mtrezza
Copy link
Member Author

mtrezza commented Oct 24, 2024

I'm not sure. It's an open topic. If we regenerate package-lock we'll miss security upgrades of sub-dependencies that snyk and dependabot did over time. If we don't regenerate package-lock, there will probably be other outdated sub-dependencies.

@Moumouls
Copy link
Member

oh i see, may be a monthly CI with automated PR to try a package lock regen @mtrezza

@mtrezza
Copy link
Member Author

mtrezza commented Oct 24, 2024

Maybe, but not sure how many snyk PRs that will reset and snyk will re-open again if we do that monthly. Maybe quarterly? I guess we'd have to try out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:meta Non-code issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@davimacedo @mtrezza @Moumouls