WordPress.org

Make WordPress Core

Opened 9 months ago

Last modified 9 months ago

#45088 new defect (bug)

Update package-lock.json for Mac, Linux, and Windows cross-platform compatibility

Reported by: azaozz Owned by:
Milestone: Future Release Priority: normal
Severity: minor Version:
Component: Build/Test Tools Keywords: needs-patch
Focuses: Cc:

Description

Doing a "clean" npm install after #45064 on Windows 10 changed the package-lock.json a bit, adding a few "optional": true.

Attachments (2)

45088.diff (3.2 KB) - added by azaozz 9 months ago.
win10-package-lock.json-after-43840.diff (6.6 KB) - added by azaozz 9 months ago.

Download all attachments as: .zip

Change History (11)

#1 @azaozz
9 months ago

This seems "nice to have", happens every time after npm install on Win10. Adding here just in case, feel free to "wontfix" :)

@azaozz
9 months ago

#2 @azaozz
9 months ago

  • Keywords has-patch added

#3 @netweb
9 months ago

  • Keywords needs-patch added; has-patch removed
  • Milestone changed from 5.0 to Future Release
  • Summary changed from Update package-lock.json to Update package-lock.json for Mac, Linux, and Windows cross-platform compatibility

tl;dr: If 45088.diff is committed the next Mac or Linux user will then generate a different package-lock.json

The issue is documented in:

Issue: https://github.com/npm/npm/issues/17722 package-lock.json and optional packages

Discussion: https://npm.community/t/package-lock-json-keeps-changing-between-platforms-and-runs/1129

Assume you have a 2 developers, one on mac, and one on linux. You use npm@5.1 (or v6.x) and your project depends on chokidar package. That package has optional dependency of fsevents, which is useful only for mac. So, you are on linux, and do npm i chokidar. npm generates package-lock.json without fsevents, because it is useless on linux. You commit that generated file.

Your teammate pulls your changes, and does npm i, to get node_modules in sync with package-lock.json. Npm installs fsevents, and writes it to package-lock.json. What should mac user to do? commit that file?

Assume that mac user commits file. Linux user pulls it, and make npm install. Npm does not install fsevents, and removes it from package-lock.json. And this become annoying very quickly.


To confirm the above theory using the latest release Node.js v8.12.0 and npm 6.4.1 I applied 45088.diff on my Mac here locally and deleted the node_modules folder, then running npm install results in the package-lock.json file being restored to the original state before 45088.diff was applied.

I'd love to have this fixed as we've had this ongoing issue for quite some time, see [39368], though until there's an upstream fix there's nothing much that can be done, as such I'm bumping this to future release

#4 follow-up: @swissspidy
9 months ago

When running npm install on my Mac, I see lots of changes of http URLs to https in package-lock.json. Is that happening for anyone else?

#5 in reply to: ↑ 4 @netweb
9 months ago

Replying to swissspidy:

When running npm install on my Mac, I see lots of changes of http URLs to https in package-lock.json. Is that happening for anyone else?

I've not seen this issue personally, taking a quick look inside the 5.0 branch package-lock.json file;

    "browserify-rsa": {
      "version": "4.0.1",
      "resolved": "http://registry.npmjs.org/browserify-rsa/-/browserify-rsa-4.0.1.tgz",
      "integrity": "sha1-IeCr+vbyApzy+vsTNWenAdQTVSQ=",
      "dev": true,
      "requires": {
        "bn.js": "^4.1.0",
        "randombytes": "^2.0.1"
      }
    },
    "browserify-sign": {
      "version": "4.0.4",
      "resolved": "https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.0.4.tgz",
      "integrity": "sha1-qk62jl17ZYuqa/alfmMMvXqT0pg=",
      "dev": true,
      "requires": {

I'm going to reopen #43075 for backporting to the 5.0 branch so that package.json and packge-lock.json files for both Core and Gutenberg use the same indentation, tabs, not spaces.

Whilst creating that patch I'll also update any http:// instances to https://

This ticket was mentioned in Slack in #core by netweb. View the logs.


9 months ago

#7 @ocean90
9 months ago

The lock file was changed in [43801] to include the optional part.

This ticket was mentioned in Slack in #core-js by pento. View the logs.


9 months ago

#9 @azaozz
9 months ago

In win10-package-lock.json-after-43840.diff: just FYI, changes after doing npm install on Win10 after [43840], see #45145.

Last edited 9 months ago by azaozz (previous) (diff)
Note: See TracTickets for help on using tickets.