You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@metron.apache.org by Otto Fowler <ot...@gmail.com> on 2018/08/25 14:32:13 UTC
package.lock changes during build?
I just did a PR, can saw that the package.lock file for alerts-ui was
changed, with updated versions.
I did *not* change the file, nor anything in metron-interface. That seems
to imply that this file is changed or updated by
something that happens during building or deploying full dev.
Is this true? How does this work? Is this on purpose?
ottO
Re: package.lock changes during build?
Posted by Casey Stella <ce...@gmail.com>.
Agreed! Great insight Shane!
On Sat, Aug 25, 2018 at 16:00 Michael Miklavcic <mi...@gmail.com>
wrote:
> You sir, are a gentleman and a scholar! Thanks for the background info, the
> current state of affairs, the controversy, and finally (most of all) the
> fix.
>
> On Sat, Aug 25, 2018, 12:52 PM Shane Ardell <sh...@gmail.com>
> wrote:
>
> > NPM's use of lock files has been quite controversial. I won't go into it
> > too deep here as there are endless posts criticizing and justifying their
> > approach, but `npm install` will install all modules listed as
> dependencies
> > in package.json and update package-lock.json accordingly instead of
> > referencing the lock file. This caused a lot of outrage in the community
> (I
> > would argue rightfully so), which led to a compromise in release 5.7.1
> with
> > `npm ci`. This command installs exactly what is specified in the
> > package-lock.json.
> >
> >
> https://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable
> >
> > Metron's build currently uses `npm install`, which is why we are seeing
> the
> > package-lock.json update whenever we build locally. Coincidentally, I
> just
> > addressed this by switching to `npm ci` in an open PR of mine because I
> > noticed the same happening locally and I was already updating npm
> commands
> > in the pom.xml.
> >
> >
> https://github.com/apache/metron/pull/1096/files#diff-e8f55f2d9e4f18085052a36d750e9648L60
> >
> >
> >
> > On Sat, Aug 25, 2018 at 7:13 PM Casey Stella <ce...@gmail.com> wrote:
> >
> > > Yeah, that's what I thought too, but I wonder if it triggers a change
> if
> > > there's a dependency that is not version locked (i.e. the most recent
> > > version of dependency x moved from y to z).
> > >
> > > On Sat, Aug 25, 2018 at 11:52 AM Michael Miklavcic <
> > > michael.miklavcic@gmail.com> wrote:
> > >
> > > > Somewhere along the line the dependencies appear to have changed, but
> > the
> > > > file never got checked in. I don't like that this part of our build
> > also
> > > > seems to be non-deterministic. If I build metron 0.4.x today, for
> > > instance,
> > > > what will I get? If the answer is "who knows?" that's unacceptable,
> > imo.
> > > > I've glanced at the package file and see carrots littering the
> > > > dependencies, which as I understand it means "get me anything later
> > than
> > > > this version." I do not think we should be doing that.
> > > >
> > > >
> > > > On Sat, Aug 25, 2018, 9:14 AM Casey Stella <ce...@gmail.com>
> wrote:
> > > >
> > > > > I have looked into this for other reasons and the guidance that
> I've
> > > seen
> > > > > is to check in package-lock.json into source control. I'll leave
> > this
> > > > > stack overflow thread here:
> > > > >
> > > > >
> > > >
> > >
> >
> https://stackoverflow.com/questions/44206782/do-i-commit-the-package-lock-json-file-created-by-npm-5
> > > > >
> > > > > I want to point out that I hate that this changes as part of the
> > build.
> > > > I
> > > > > haven't gotten a complete handle on exactly why package-lock is
> > > changing
> > > > > seemingly non-deterministically yet.
> > > > >
> > > > > Casey
> > > > >
> > > > > On Sat, Aug 25, 2018 at 11:05 AM Nick Allen <ni...@nickallen.org>
> > > wrote:
> > > > >
> > > > > > Yes, I have noticed that also, but have not looked deeper.
> > > > > >
> > > > > > On Sat, Aug 25, 2018 at 10:32 AM Otto Fowler <
> > > ottobackwards@gmail.com>
> > > > > > wrote:
> > > > > >
> > > > > > > I just did a PR, can saw that the package.lock file for
> alerts-ui
> > > was
> > > > > > > changed, with updated versions.
> > > > > > > I did *not* change the file, nor anything in metron-interface.
> > That
> > > > > seems
> > > > > > > to imply that this file is changed or updated by
> > > > > > > something that happens during building or deploying full dev.
> > > > > > >
> > > > > > > Is this true? How does this work? Is this on purpose?
> > > > > > >
> > > > > > > ottO
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: package.lock changes during build?
Posted by Michael Miklavcic <mi...@gmail.com>.
You sir, are a gentleman and a scholar! Thanks for the background info, the
current state of affairs, the controversy, and finally (most of all) the
fix.
On Sat, Aug 25, 2018, 12:52 PM Shane Ardell <sh...@gmail.com>
wrote:
> NPM's use of lock files has been quite controversial. I won't go into it
> too deep here as there are endless posts criticizing and justifying their
> approach, but `npm install` will install all modules listed as dependencies
> in package.json and update package-lock.json accordingly instead of
> referencing the lock file. This caused a lot of outrage in the community (I
> would argue rightfully so), which led to a compromise in release 5.7.1 with
> `npm ci`. This command installs exactly what is specified in the
> package-lock.json.
>
> https://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable
>
> Metron's build currently uses `npm install`, which is why we are seeing the
> package-lock.json update whenever we build locally. Coincidentally, I just
> addressed this by switching to `npm ci` in an open PR of mine because I
> noticed the same happening locally and I was already updating npm commands
> in the pom.xml.
>
> https://github.com/apache/metron/pull/1096/files#diff-e8f55f2d9e4f18085052a36d750e9648L60
>
>
>
> On Sat, Aug 25, 2018 at 7:13 PM Casey Stella <ce...@gmail.com> wrote:
>
> > Yeah, that's what I thought too, but I wonder if it triggers a change if
> > there's a dependency that is not version locked (i.e. the most recent
> > version of dependency x moved from y to z).
> >
> > On Sat, Aug 25, 2018 at 11:52 AM Michael Miklavcic <
> > michael.miklavcic@gmail.com> wrote:
> >
> > > Somewhere along the line the dependencies appear to have changed, but
> the
> > > file never got checked in. I don't like that this part of our build
> also
> > > seems to be non-deterministic. If I build metron 0.4.x today, for
> > instance,
> > > what will I get? If the answer is "who knows?" that's unacceptable,
> imo.
> > > I've glanced at the package file and see carrots littering the
> > > dependencies, which as I understand it means "get me anything later
> than
> > > this version." I do not think we should be doing that.
> > >
> > >
> > > On Sat, Aug 25, 2018, 9:14 AM Casey Stella <ce...@gmail.com> wrote:
> > >
> > > > I have looked into this for other reasons and the guidance that I've
> > seen
> > > > is to check in package-lock.json into source control. I'll leave
> this
> > > > stack overflow thread here:
> > > >
> > > >
> > >
> >
> https://stackoverflow.com/questions/44206782/do-i-commit-the-package-lock-json-file-created-by-npm-5
> > > >
> > > > I want to point out that I hate that this changes as part of the
> build.
> > > I
> > > > haven't gotten a complete handle on exactly why package-lock is
> > changing
> > > > seemingly non-deterministically yet.
> > > >
> > > > Casey
> > > >
> > > > On Sat, Aug 25, 2018 at 11:05 AM Nick Allen <ni...@nickallen.org>
> > wrote:
> > > >
> > > > > Yes, I have noticed that also, but have not looked deeper.
> > > > >
> > > > > On Sat, Aug 25, 2018 at 10:32 AM Otto Fowler <
> > ottobackwards@gmail.com>
> > > > > wrote:
> > > > >
> > > > > > I just did a PR, can saw that the package.lock file for alerts-ui
> > was
> > > > > > changed, with updated versions.
> > > > > > I did *not* change the file, nor anything in metron-interface.
> That
> > > > seems
> > > > > > to imply that this file is changed or updated by
> > > > > > something that happens during building or deploying full dev.
> > > > > >
> > > > > > Is this true? How does this work? Is this on purpose?
> > > > > >
> > > > > > ottO
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: package.lock changes during build?
Posted by Shane Ardell <sh...@gmail.com>.
NPM's use of lock files has been quite controversial. I won't go into it
too deep here as there are endless posts criticizing and justifying their
approach, but `npm install` will install all modules listed as dependencies
in package.json and update package-lock.json accordingly instead of
referencing the lock file. This caused a lot of outrage in the community (I
would argue rightfully so), which led to a compromise in release 5.7.1 with
`npm ci`. This command installs exactly what is specified in the
package-lock.json.
https://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable
Metron's build currently uses `npm install`, which is why we are seeing the
package-lock.json update whenever we build locally. Coincidentally, I just
addressed this by switching to `npm ci` in an open PR of mine because I
noticed the same happening locally and I was already updating npm commands
in the pom.xml.
https://github.com/apache/metron/pull/1096/files#diff-e8f55f2d9e4f18085052a36d750e9648L60
On Sat, Aug 25, 2018 at 7:13 PM Casey Stella <ce...@gmail.com> wrote:
> Yeah, that's what I thought too, but I wonder if it triggers a change if
> there's a dependency that is not version locked (i.e. the most recent
> version of dependency x moved from y to z).
>
> On Sat, Aug 25, 2018 at 11:52 AM Michael Miklavcic <
> michael.miklavcic@gmail.com> wrote:
>
> > Somewhere along the line the dependencies appear to have changed, but the
> > file never got checked in. I don't like that this part of our build also
> > seems to be non-deterministic. If I build metron 0.4.x today, for
> instance,
> > what will I get? If the answer is "who knows?" that's unacceptable, imo.
> > I've glanced at the package file and see carrots littering the
> > dependencies, which as I understand it means "get me anything later than
> > this version." I do not think we should be doing that.
> >
> >
> > On Sat, Aug 25, 2018, 9:14 AM Casey Stella <ce...@gmail.com> wrote:
> >
> > > I have looked into this for other reasons and the guidance that I've
> seen
> > > is to check in package-lock.json into source control. I'll leave this
> > > stack overflow thread here:
> > >
> > >
> >
> https://stackoverflow.com/questions/44206782/do-i-commit-the-package-lock-json-file-created-by-npm-5
> > >
> > > I want to point out that I hate that this changes as part of the build.
> > I
> > > haven't gotten a complete handle on exactly why package-lock is
> changing
> > > seemingly non-deterministically yet.
> > >
> > > Casey
> > >
> > > On Sat, Aug 25, 2018 at 11:05 AM Nick Allen <ni...@nickallen.org>
> wrote:
> > >
> > > > Yes, I have noticed that also, but have not looked deeper.
> > > >
> > > > On Sat, Aug 25, 2018 at 10:32 AM Otto Fowler <
> ottobackwards@gmail.com>
> > > > wrote:
> > > >
> > > > > I just did a PR, can saw that the package.lock file for alerts-ui
> was
> > > > > changed, with updated versions.
> > > > > I did *not* change the file, nor anything in metron-interface. That
> > > seems
> > > > > to imply that this file is changed or updated by
> > > > > something that happens during building or deploying full dev.
> > > > >
> > > > > Is this true? How does this work? Is this on purpose?
> > > > >
> > > > > ottO
> > > > >
> > > >
> > >
> >
>
Re: package.lock changes during build?
Posted by Casey Stella <ce...@gmail.com>.
Yeah, that's what I thought too, but I wonder if it triggers a change if
there's a dependency that is not version locked (i.e. the most recent
version of dependency x moved from y to z).
On Sat, Aug 25, 2018 at 11:52 AM Michael Miklavcic <
michael.miklavcic@gmail.com> wrote:
> Somewhere along the line the dependencies appear to have changed, but the
> file never got checked in. I don't like that this part of our build also
> seems to be non-deterministic. If I build metron 0.4.x today, for instance,
> what will I get? If the answer is "who knows?" that's unacceptable, imo.
> I've glanced at the package file and see carrots littering the
> dependencies, which as I understand it means "get me anything later than
> this version." I do not think we should be doing that.
>
>
> On Sat, Aug 25, 2018, 9:14 AM Casey Stella <ce...@gmail.com> wrote:
>
> > I have looked into this for other reasons and the guidance that I've seen
> > is to check in package-lock.json into source control. I'll leave this
> > stack overflow thread here:
> >
> >
> https://stackoverflow.com/questions/44206782/do-i-commit-the-package-lock-json-file-created-by-npm-5
> >
> > I want to point out that I hate that this changes as part of the build.
> I
> > haven't gotten a complete handle on exactly why package-lock is changing
> > seemingly non-deterministically yet.
> >
> > Casey
> >
> > On Sat, Aug 25, 2018 at 11:05 AM Nick Allen <ni...@nickallen.org> wrote:
> >
> > > Yes, I have noticed that also, but have not looked deeper.
> > >
> > > On Sat, Aug 25, 2018 at 10:32 AM Otto Fowler <ot...@gmail.com>
> > > wrote:
> > >
> > > > I just did a PR, can saw that the package.lock file for alerts-ui was
> > > > changed, with updated versions.
> > > > I did *not* change the file, nor anything in metron-interface. That
> > seems
> > > > to imply that this file is changed or updated by
> > > > something that happens during building or deploying full dev.
> > > >
> > > > Is this true? How does this work? Is this on purpose?
> > > >
> > > > ottO
> > > >
> > >
> >
>
Re: package.lock changes during build?
Posted by Michael Miklavcic <mi...@gmail.com>.
Somewhere along the line the dependencies appear to have changed, but the
file never got checked in. I don't like that this part of our build also
seems to be non-deterministic. If I build metron 0.4.x today, for instance,
what will I get? If the answer is "who knows?" that's unacceptable, imo.
I've glanced at the package file and see carrots littering the
dependencies, which as I understand it means "get me anything later than
this version." I do not think we should be doing that.
On Sat, Aug 25, 2018, 9:14 AM Casey Stella <ce...@gmail.com> wrote:
> I have looked into this for other reasons and the guidance that I've seen
> is to check in package-lock.json into source control. I'll leave this
> stack overflow thread here:
>
> https://stackoverflow.com/questions/44206782/do-i-commit-the-package-lock-json-file-created-by-npm-5
>
> I want to point out that I hate that this changes as part of the build. I
> haven't gotten a complete handle on exactly why package-lock is changing
> seemingly non-deterministically yet.
>
> Casey
>
> On Sat, Aug 25, 2018 at 11:05 AM Nick Allen <ni...@nickallen.org> wrote:
>
> > Yes, I have noticed that also, but have not looked deeper.
> >
> > On Sat, Aug 25, 2018 at 10:32 AM Otto Fowler <ot...@gmail.com>
> > wrote:
> >
> > > I just did a PR, can saw that the package.lock file for alerts-ui was
> > > changed, with updated versions.
> > > I did *not* change the file, nor anything in metron-interface. That
> seems
> > > to imply that this file is changed or updated by
> > > something that happens during building or deploying full dev.
> > >
> > > Is this true? How does this work? Is this on purpose?
> > >
> > > ottO
> > >
> >
>
Re: package.lock changes during build?
Posted by Casey Stella <ce...@gmail.com>.
I have looked into this for other reasons and the guidance that I've seen
is to check in package-lock.json into source control. I'll leave this
stack overflow thread here:
https://stackoverflow.com/questions/44206782/do-i-commit-the-package-lock-json-file-created-by-npm-5
I want to point out that I hate that this changes as part of the build. I
haven't gotten a complete handle on exactly why package-lock is changing
seemingly non-deterministically yet.
Casey
On Sat, Aug 25, 2018 at 11:05 AM Nick Allen <ni...@nickallen.org> wrote:
> Yes, I have noticed that also, but have not looked deeper.
>
> On Sat, Aug 25, 2018 at 10:32 AM Otto Fowler <ot...@gmail.com>
> wrote:
>
> > I just did a PR, can saw that the package.lock file for alerts-ui was
> > changed, with updated versions.
> > I did *not* change the file, nor anything in metron-interface. That seems
> > to imply that this file is changed or updated by
> > something that happens during building or deploying full dev.
> >
> > Is this true? How does this work? Is this on purpose?
> >
> > ottO
> >
>
Re: package.lock changes during build?
Posted by Nick Allen <ni...@nickallen.org>.
Yes, I have noticed that also, but have not looked deeper.
On Sat, Aug 25, 2018 at 10:32 AM Otto Fowler <ot...@gmail.com>
wrote:
> I just did a PR, can saw that the package.lock file for alerts-ui was
> changed, with updated versions.
> I did *not* change the file, nor anything in metron-interface. That seems
> to imply that this file is changed or updated by
> something that happens during building or deploying full dev.
>
> Is this true? How does this work? Is this on purpose?
>
> ottO
>