To be or not to be in core #1041
Comments
|
|
I think there is also:
|
|
@nodejs/tsc |
|
The undici discussion got a little heated nodejs/node#39057 which is also a reason it would be nice to be able to provide a bit more context I. Those discussions. |
|
@jasnell also had a nice write up on Twitter https://twitter.com/jasnell/status/1405682071440297986?s=21 |
|
For Simplified build/better cross platform testing if native code is required |
|
Also:
|
|
This was discussed briefly in TSC. Worth documenting. Needs more input from other @nodejs/tsc folks. Please review and comment! |
|
I wasn't there, but I would add that various efforts to be robust (mainly coding styles and primordials) are not really able to be enforced easily. To do so you have to do things like I did with MIME being able to be in a different repo : https://github.com/bmeck/node-internals-mime . I think having consistent patterns to avoid various concerns of cross module workflows gets complicated if we fracture into many different repositories but don't have any guidelines for those repositories. |
|
During today's TSC meeting it was suggested that we have a separate meeting with folks interested in this issue. Would folks be interested in that, and if so does anyone volunteer to coordinate the meeting? |
|
I would like to be in the meeting, I can try and coordinate but would have to put efforts on things on my backlog. |
|
One approach we discussed during the TSC meeting would be vendoring in modules, similar to llhttp and npm. Given the undici example; undici is developed outside of core but we vendor in specific releases (/deps) that are deemed stable. That way we maintain high development velocity outside of core whilst maintaining the LTS/CITGM workflow for core. This approach seems to work well with npm and llhttp so there is some precedence and I think this can to a large part also apply to other modules mentioned above. The open question here is how to handle the documentation. I wonder if we can easily vendor in the documentation as well given that the module uses the same doc style? That shouldn't be too much work. This also makes it easier to actually get into something into core as e.g. the whole undici test suite doesn't need to be re-written to align with how node does testing (I have a hard time seeing who would be willing to spend time doing that). |
|
One difference to npm/llhttp is that undici exposes a public API in node. As a result any breaking change done in undici can't be hidden in a glue layer implementation like it is possible for llhttp and other internal deps. |
I'm not sure that's true for npm though? But yes, any semver major change in undici could only be vendored in during a semver major node core release. I don't see any problem with that. |
|
Another question. If we vendor in js modules. Should we have a rule that they must live under the node org in Github? So that we have control? |
It's no problem. It just means that these vendored modules need at least some sort of maintainance strategy matching to core for e.g. backporting, testing and releasing fixes,.... Or in ohter words, I think some burden of "being part of the node binary" needs to be acepted by these modules. Otherwise node may end up in exposing an API of an unmaintained package. I guess one requirement is also that the license of these modules allows that node core may decide to fork it and maintain their own variant. Clearly these are just worst case scenarios, I assume it just works fine on default. |
Yes, that goes a bit under my other question on whether we should require these modules to live under the node org, e.g. we've already moved undici to node/undici. |
|
FWIW currently we vendor https://github.com/guybedford/cjs-module-lexer, which is outside of nodejs org, introduced in nodejs/node#35249. It seems to meet all the requirements suggested in #1041 (comment), so it seems to be sufficient IMHO. |
This would also help a little with filtering suggestions, i.e. if the author is not willing to move it into the node org then maybe it shouldn't be in core? |
|
@aduh95 yes, we actually also vendor in acorn which is also outside of nodejs. These modules however do not follow the defensive coding patterns of node core. In part because we can't easily ship things to npm that do follow those patterns. Hence my wanting some kind of enforcement of quality and robustness since we are adopting the potential attack vectors etc. of those modules. Having different coding standards inside of our runtime and the vendored dependencies doesn't make sense to me. We go through tremendous effort to do things like |
Maybe a good reason to have them under the node org?
It's not optimal but I'm not sure how to get around that?
Primordials are being discussed. This doesn't feel like it deserves to be a blocker.
How would that differ in terms of vendoring? |
I think this is a good start to make sure there's more control, but we'll want to have processes and automation set up (and get the maintainers onboard) to ensure that each project joins the release cycle workflow. I'm generally in favor of adding modules to Node. I'd be curious what the implications of security patches would be though. It's easy with just npm - we work closely with them and can be flexible because Node releases are accommodating 1 external project. I'm hesitant if that number becomes 5, or 10, how much that would slow down the release cycle if there are more frequent patches going out. If the governance becomes internal, maybe not at all.
If the modules don't all use the same doc style, then we'll need to standardize. Will Node.js expand the Node.js API docs or modules stay in their own docs? |
I'm not clear on what moving them into the org would change much? Are we committing to changing their codebases to match various coding patterns we expect / maintaining the modules rather than their existing maintainers?
Linting/CI seems like it works inside of Node core already for our builtins, we can enforce our needs via tooling similarly in other repositories.
The migration in core is non-trivial in vendored code since
The amount of things vendored into core is minimal and hasn't changed largely over time. Adding lots of vendored modules would mean an increasing surface area of vendored dependencies that we haven't been seeing in core with our existing vendored dependencies that are relatively stable. |
|
I'm a bit late due to things, but if I could get link as well that would be swell |
Sorry we missed you @bmeck, we briefly touched on having that MIME module in core. Pretty sure that we streamed the whole meeting, but for some reason can't seem to find the video on YouTube. (?) |
|
Video is here: https://www.youtube.com/watch?v=7Rqe4pT5XtM |
I did send you the link while in the meeting. You didn't get it? |
|
Not yet mentioned but I think it is important: Funding, |
|
I've started a discussion here: nodejs/node#39779 |
|
I've missed this comment. Will fill it up as soon as I get them. |
Document the things that are considered when making the determination as to whether something should or shouldn't be in core. This does not (yet, at least) attempt to address *how* to include modules in core. (Should it be in the Node.js code base or vendored in from a separate repository?) It is limited to *whether* something should be in core or not. Closes: nodejs/TSC#1041
Document the things that are considered when making the determination as to whether something should or shouldn't be in core. This does not (yet, at least) attempt to address *how* to include modules in core. (Should it be in the Node.js code base or vendored in from a separate repository?) It is limited to *whether* something should be in core or not. Closes: nodejs/TSC#1041
Document the things that are considered when making the determination as to whether something should or shouldn't be in core. This does not (yet, at least) attempt to address *how* to include modules in core. (Should it be in the Node.js code base or vendored in from a separate repository?) It is limited to *whether* something should be in core or not. Closes: nodejs/TSC#1041
Document the things that are considered when making the determination as to whether something should or shouldn't be in core. This does not (yet, at least) attempt to address *how* to include modules in core. (Should it be in the Node.js code base or vendored in from a separate repository?) It is limited to *whether* something should be in core or not. Closes: nodejs/TSC#1041
|
89c0577 closed this because the original ask was to document considerations. But if there's more that needs to happen (and I suspect there is), let's either re-open this or create a new issue. /cc @ronag |
Document the things that are considered when making the determination as to whether something should or shouldn't be in core. This does not (yet, at least) attempt to address *how* to include modules in core. (Should it be in the Node.js code base or vendored in from a separate repository?) It is limited to *whether* something should be in core or not. Closes: nodejs/TSC#1041 PR-URL: #40338 Fixes: nodejs/TSC#1041 Reviewed-By: Robert Nagy <ronagy@icloud.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com>
Document the things that are considered when making the determination as to whether something should or shouldn't be in core. This does not (yet, at least) attempt to address *how* to include modules in core. (Should it be in the Node.js code base or vendored in from a separate repository?) It is limited to *whether* something should be in core or not. Closes: nodejs/TSC#1041 PR-URL: #40338 Fixes: nodejs/TSC#1041 Reviewed-By: Robert Nagy <ronagy@icloud.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com>
The discussion regarding whether or not s module should be in core seems to pop every now and then and I feel it's a little unfortunate that it kind of always has to start over from almost nothing and with different people involved.
Whether something should be or shouldn't be in core is quite complicated and it will be difficult to agree on any consistent set of rules for this that an be applied across the board. However, I think we should still be able to write up something in terms of what things we consider, what is advantages and disadvantaged to either approach etc. So that when these discussions pop up we have some form of summarized and organized prior knowledge/discussion/thoughts document to refer to.
I think it would maybe be appropriate for the TSC to provide some form of guideline here.
Some examples where it's unclear whether things should be in core or not:
and probably more...
As I see it we have 3 possible approaches on a module by module basis:
Some initial notes from me to start from:
The text was updated successfully, but these errors were encountered: