Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Publishing order should take peerDependencies into account #1437

Closed
loganfsmyth opened this issue May 25, 2018 · 8 comments · Fixed by #2152 · May be fixed by adamlaska/scatter-js#3
Closed

Publishing order should take peerDependencies into account #1437

loganfsmyth opened this issue May 25, 2018 · 8 comments · Fixed by #2152 · May be fixed by adamlaska/scatter-js#3

Comments

@loganfsmyth
Copy link
Contributor

Currently the package graph ordering is defined in

lerna/core/package-graph/index.js

Line 68 in bd79949

? Object.assign({}, currentNode.pkg.optionalDependencies, currentNode.pkg.dependencies)
and only takes dependencies into account, and not peerDependencies. This means it is possible to publish a module with a peerDependency on a specific version that you are publishing at the same time, and the version with the peerDependency may be published before the version that it depends on.

Expected Behavior

Ideally the version ranges in the peerDependencies should be validated, and if the range is only satisfied by the version you are just about to publish, it should publish it later, after the dependency is publishes.

Context

Just noticed on Babel that @babel/cli was being published before @babel/core which means there is a period (which on this publish was about 4.5 minutes, since we publish a LOT of packages), where the CLI depends on a non-existent version of @babel/core because during our beta phase we're using specific non-range peerDependencies. That gets extra dangerous once you take caching registry mirrors into account.

Your Environment

Executable Version
lerna --version 2.0.0
npm --version VERSION
yarn --version 1.6
node --version 6.12.3
@loganfsmyth
Copy link
Contributor Author

This is also exacerbated by #1018 since Lerna actually explicitly changes the peerDependency to a non-range version.

@loganfsmyth loganfsmyth mentioned this issue May 25, 2018
Closed
@evocateur
Copy link
Member

It's weird that publish even cares to distinguish between "allDependencies" vs "dependencies" when constructing the graph. Batching "dependencies" merely omits devDependencies, which is the traditional location for pairing with peerDependencies (and would "solve" your issue). There's a comment explanation, but it's still weird. (I'd rather just throw on all circularity, tbh)

We would need to improve the peerDependencies parsing to recognize local siblings, and I doubt that work would be easy to back-port into the 2.x branch. 3.x will be latest soon enough, however.

Notably, since v2.7.0 lerna does not mutate peerDependencies during publish (#1187).

@loganfsmyth
Copy link
Contributor Author

It's weird that publish even cares to distinguish between "allDependencies" vs "dependencies" when constructing the graph.

I see it as important because it's possible to have dependency cycles that are present when devDependencies are taken into account, which don't actually matter to users of your package. If devDependencies were walked too, it makes it much more likely that you'd publish in a bad order due to cycles.

We would need to improve the peerDependencies parsing to recognize local siblings, and I doubt that work would be easy to back-port into the 2.x branch. 3.x will be latest soon enough, however.

No problem. Thanks for your work on Lerna :)

Notably, since v2.7.0 lerna does not mutate peerDependencies during publish (#1187).

Oh cool, great to know. I saw that the issue I linked was still open and assumed it hadn't been tackled yet.

@stale
Copy link

stale bot commented Dec 27, 2018

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Dec 27, 2018
@stale stale bot closed this as completed Jan 3, 2019
@sparebytes
Copy link

It appears lerna 3.13.1 doesn't honor peerDependencies for toposort. Is the solution to use peerDependencies in conjunction with devDependencies?

@padraig-meaney
Copy link
Contributor

Running in to this issue as well, using a mono repo with 3 packages (A. B. C) where A is a peerDep (and devDep) of B and C, and B is also a peerDep (and devDep) of C.

I can work around this for now by also specifying the packages as optionalDependencies, but would you be open to a PR to add a flag to include devDeps when evaluating the publish hierarchy? At least that way if a user needs the behavior they can opt in.

@evocateur
Copy link
Member

@sparebytes Yes, it is a best practice with npm packages (regardless of monorepo or not) to specify devDependencies for every member of peerDependencies.

@padraig-meaney I agree it's unfortunate that proper peer+dev deps aren't taken into account in lerna publish order. I would be open to a --graph-type flag whose value defaults to the current argument ("dependencies"), but with an optional "all" value that achieves what you're looking for.

(as much as it's tempting to automatically include devDependencies in the topological order if local peer + dev deps are detected, I feel that's a bit too magical at this point)

# equivalent to current behavior
npx lerna publish --graph-type dependencies

# adds devDependencies to the package graph, thus influencing the topological sort
npx lerna publish --graph-type all

Configured in lerna.json:

{
  "command": {
    "publish": {
      "graphType": "all"
    }
  },
  "packages": [
    "packages/*"
  ],
  "version": "independent"
}

I'd be very interested in flipping the default in the next major, always adding devDependencies to the package graph for lerna publish (which is the default for literally every other command that topologically sorts the package graph, such as lerna exec and lerna run). There's enough logging when circularity is encountered, and we could suggest --graph-type=dependencies as a (possible) fix for it.

Reopening to track the work.

@evocateur evocateur reopened this Jun 15, 2019
@padraig-meaney
Copy link
Contributor

@evocateur that sounds great to me. I may have some free bandwidth in the next 2 weeks to put together a PR for this.

padraig-meaney added a commit to padraig-meaney/lerna that referenced this issue Jun 23, 2019
@padraig-meaney
fix(publish): Allow specifying a graph-type
d02ff96 
Allow for configuration of a specific graphType, so that users can opt-in to using devDependencies when building a package graph during publish.

Closes lerna#1437.
@padraig-meaney padraig-meaney mentioned this issue Jun 23, 2019
Merged
9 tasks
evocateur pushed a commit to padraig-meaney/lerna that referenced this issue Jul 18, 2019
@padraig-meaney @evocateur
fix(publish): Allow specifying a graph-type
3a16681 
Allow for configuration of a specific graphType, so that users can opt-in to using devDependencies when building a package graph during publish.

Closes lerna#1437.
evocateur pushed a commit that referenced this issue Jul 18, 2019
@padraig-meaney @evocateur
fix(publish): Add --graph-type option to control packages included …
ae87669 
…in topological sort (#2152)

Allow for configuration of a specific `graphType` so that users can opt-in to using `devDependencies` when building a package graph to determine a topological sort.

Closes #1437
@snyk-bot snyk-bot mentioned this issue Sep 27, 2019
Open
gera2ld added a commit to markmap/markmap that referenced this issue Nov 5, 2020
@gera2ld
chore: set publish.graphType to all
70b09fe 
See lerna/lerna#1437 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@evocateur @loganfsmyth @padraig-meaney @sparebytes