Hapi: package.json engines, yarn, and semver rules
TL;DR - no hapi module officially supports yarn. If you choose yarn as your installer, you are doing it at your own risk and things are likely to break every once in a while. This has been our policy from the day yarn was released.
The recent changes to all hapi core modules to require node >=8.12.0 has caused some issues for people using yarn instead of npm. While hapi does work with yarn in general, it is not officially supported. This issue was raised in the past and the decision was to only officially support npm. There are a few reasons:
- yarn does not support the npm-shrinkwrap.json file hapi uses to ensure a secure and certified build. If you use yarn to install hapi, you are not getting the same versions as those tested and verified by us and the CI environment.
- our entire CI process uses npm which means we do not see any potential issues with yarn. When something breaks, it will first happen in your environment, which means, it will break first and then you will need to report it and get it resolved.
As for changing the minimum required node version in the engines field of package.json, we do that on a routine basis every few months, usually around a big release effort. If you use npm, the engines field is used to generate warnings only, never blocking a release (this is true since npm v3). We do this because:
- we want to push our community to always use the most recent, secure version of node available.
- our CI only tests on latest which means it is the only version we know for sure works correctly (this has been an issue in the past with about a dozen cases where a patch version of node broke something in hapi).
- we do not support yarn and this has never been an issue with npm.
If you are using yarn and are now having issue with a conflict between the required node version (currently v8.12.0) and the one deployed on your environment, simply change your yarn install command to add the --ignore-engines options which will resolve it.
hueniverse
All 4 comments
For people having issues, note that the --ignore-engines (with a trailing 's'!) option can be specified for the entire project through the use of a .yarnrc checked into your repository. Just put the following line inside:
--ignore-engines true
arcanis
on 2 Nov 2018
Thanks for the quick and thorough response @hueniverse. I raised an issue with yarn regarding the inconsistent behaviour.
One thing I'd point out though, it doesn't look like npm provides any warnings when you do an install and are using a lower node version. So if the sole reason for including the engines section is to encourage people using the latest version node, it's probably not terribly effective at the cost of inconveniencing (probably quite a few) yarn users.
adanilev$ yarn
yarn install v1.9.4
info No lockfile found.
[1/4] 馃攳 Resolving packages...
[2/4] 馃殮 Fetching packages...
error [email protected]: The engine "node" is incompatible with this module. Expected version ">=8.12.0".
error Found incompatible module
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
vs
adanilev$ npm i
npm notice created a lockfile as package-lock.json. You should commit this file.
added 2 packages and audited 2 packages in 2.587s
found 0 vulnerabilities
adanilev
on 2 Nov 2018
@adanilev I think you've talked me into dropping engines completely since it is basically documentation only.
hueniverse
on 3 Nov 2018
This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.
![lock[bot] picture](https://avatars.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 9 Jan 2020
Related issues
hovmand
路
3Comments
hbinduni
路
5Comments
leore
路
4Comments
taoeffect
路
3Comments
hueniverse
路
4Comments
Most helpful comment
@adanilev I think you've talked me into dropping engines completely since it is basically documentation only.