Preventing pnpm from displaying too many deprecation warnings #4306
Comments
|
The update notifier is not a warning. It is an info message. Currently it can be printed once a day: pnpm/packages/pnpm/src/checkForUpdates.ts Line 14 in e6cc674 Is it too frequent? I prefer users to use the latest version to get the best experience. We can change how the update notice looks like. Regarding the warnings. I think there are two frequent sources of warnings. Deprecated deps and peer deps. For peer deps we already have settings to mute those warnings. For deprecated packages, we may add some new setting. Maybe something like: {
"pnpm": {
"allowDeprecated": {
"fsevents": "*",
"request": "2"
}
}
} |
That doesn't really help. Our CI jobs run on a clean VM, so the message will appear in every CI log regardless. And if the notice is useful/relevant to someone, they might find it rather annoying that the message mysteriously disappears when you run
🤔 Thinking about this, everything you said actually makes sense for an individual person who installed PNPM themselves, and who can simply run What's causing the trouble is that in a large corporate monorepo:
Maybe all of these problems could be addressed by adding a CLI parameter or environment variable that tells PNPM it is being invoked by some other system. For example In this ...or if there is a critical fix, it might show something like this: |
That sounds great. 👍 Can this setting be specified once for the entire workspace? |
|
Yes, this would be specified in the |
Rush repositories do not have a top-level package.json. The |
|
where is the lockfile created? Also in |
|
Yes, we have:
The command line looks like: pnpm install --store C:\Git\rushstack\common\temp\pnpm-store --frozen-lockfile --strict-peer-dependencies
--recursive --link-workspace-packages false...so if we are able to store settings in |
|
Yes, you can use that |
zkochan
changed the title
zkochan
changed the title
|
🚢 7.2.0 |
|
Thank you! 🎉 |
Describe the user story
Our
pnpm installalways looks like this:When a tool prints too many warnings, users conclude that the warnings are irrelevant noise. Everyone learns to ignore those warnings. This is a problem, because later if an actually important issue arises, everyone will ignore that warning.
Above we see two specific kinds of warnings:
PNPM is very slightly outdated. Is there any urgency to upgrade from PNPM 6.29.1 to 6.30.0? No there is not. My install logs have a giant yellow boxed banner, that looks very important, but is demanding that we do work which is definitely not worthwhile.
A bunch of dependencies are deprecated. Some of these should probably get fixed. However most of them are indirect dependencies that our users cannot control. We would need to ask the upstream package to fix the issue. Unless something is actually broken, people will generally choose to ignore the issue.
Describe the solution you'd like
Here's two ways to reduce the noise:
PNPM is very slightly outdated. Having a warning for outdated PNPM is useful. But could we configure it? For example, maybe we only want to be warned if our repo is a MAJOR version behind. Or maybe >= 10 minor versions? Also it might be useful if PNPM could flag releases that fix a critical issue (e.g. security vulnerability) -- this could be communicated using an NPM dist tag. That way we could ask for
>= 10 minor versions OR a criticial fixA bunch of dependencies are deprecated. For this issue, what would be awesome is a PNPM config file that can suppress individual warnings. That way when a new warning appears, our team can investigate the package, and if we decide not to upgrade, we could record this in a config file so that PNPM no longer warns about that issue. This would eliminate the "noise that everybody ignores" problem.
The text was updated successfully, but these errors were encountered: