Skip to:
Content

Opened 7 months ago

Last modified 7 weeks ago

#7535 accepted task

Add npm `package-lock.json` for npm v5.x

Reported by: netweb Owned by: netweb
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Build/Test Tools Keywords: needs-codex
Cc:

Description

npm v5 now by default generates a package-lock.json file

Some paraphrased notes from the announcement post: http://blog.npmjs.org/post/161081169345/v500

  • package-lock.json and npm-shrinkwrap.json are aware of each other and happy to coexist
  • package locks no longer exclude optionalDependencies that failed to build. This means package-lock.json and npm-shrinkwrap.json should now be cross-platform.
    • This will hopefully mitigate the optionalDependencies issue with our build server in #38657 / r39368, when the build server is bumped to use the upcoming Node.js v8.x LTS release this can be tested and confirmed.
  • Running npm while offline will no longer insist on retrying network requests. npm will now immediately fall back to cache if possible, or fail, npm's caching is vastly improved in npm 5
  • On performance, NodeJS 6.9.1 and NPM 3.10.8 running npm install in tests took ~63.94 seconds on average, with NodeJS v7.10.0 and npm v5.0.0 this is halved to ~26.26 seconds on average, once npm modules are cached reinstalling node_modules averages 16.163 seconds, just shy of a 4x speed boost
    • Detailed bbPress, BuddyPress, and WordPress performance tests can be seen in this spreedsheet
    • The performance boost is comparable to that of Yarn, initial install 21.40 seconds, and subsequent installs 18.82 seconds, see #38603

Related: #7378 Investigate using yarn instead of npm
Related: #WP40938 Add npm package-lock.json for npm v5.x

Attachments (1)

7535.patch (246.7 KB) - added by netweb 7 months ago.

Download all attachments as: .zip

Change History (7)

#1 @netweb
7 months ago

  • Milestone changed from Awaiting Review to 2.9
  • Status changed from new to accepted

@netweb
7 months ago

#2 @netweb
7 months ago

  • Milestone changed from 2.9 to Future Release

Via https://docs.npmjs.com/files/package-lock.json

One key detail about package-lock.json is that it cannot be published, and it will be ignored if found in any place other than the toplevel package. It shares a format with npm-shrinkwrap.json, which is essentially the same file, but allows publication.

This is not recommended unless deploying a CLI tool or otherwise using the publication process for producing production packages.

If both package-lock.json and npm-shrinkwrap.json are present in the root of a package, package-lock.json will be completely ignored.

It's one or the other, not both files, that gives us a few options to consider, whilst I think about those and the best path forward I'll tuck this ticket into the future release milestone.

p.s. My initial thoughts are we switch from having a npm-shrinkwrap.json file to having the package-lock.json file

This ticket was mentioned in Slack in #buddypress by netweb. View the logs.


7 months ago

#4 @netweb
6 months ago

I've nearly grok'd all there is know about npm 5...

To that end some recent knowledge ingestion a package-lock.json and npm-shrinkwrap.json are interchangeable, in essence one could be renamed to other and it will work as intended.

Another is that npm has no LTS releases, everyone should be running the latest version of npm, at the time of writing that is npm 5.2.0 see also http://blog.npmjs.org/post/162451604515/the-npm-clis-long-term-support-lts-policy

The plan I have now to move forward with this is to rename npm-shrinkwrap.json to package-lock.json, then using npm 5.2.0 to update the file package-lock.json with the updated file format added as part of npm 5.1.0 release.

This will also help to avoid scenarios where unexpected changes to npm-shrinkwrap.json occurs such as this.

I'm pretty keen on this change as it both benefits contributors and the repo, for contributors things become a little simpler in that npm install is for the most part the only command you'll ever need to run ever again, for the repo, this changes ensures a consistent set of build tool versions across all platforms that install faster than ever before.

#5 @netweb
5 months ago

  • Keywords needs-codex added

Also the codex page https://codex.buddypress.org/prelaunch-checklist/ needs updating once this change is made

#6 @DJPaul
7 weeks ago

@netweb Would be great to conclude this ticket one way or another, please.

Note: See TracTickets for help on using tickets.