Subject of the feature
Relax dependency versions.
Problem
See https://github.com/mdx-js/mdx/pull/858#issuecomment-563336666. Essentially, when installing an MDX package such as @mdx-js/mdx, I would rather not have a pinned version of any @babel/* dependencies installed - this causes duplicate versions and can plausibly lead to subtle bugs. If you look at https://unpkg.com/@mdx-js/mdx@1.5.1/package.json, you'll see @babel/core 7.6.2 gets installed, as well as fixed versions for @babel/plugin-syntax-jsx and @babel/plugin-syntax-object-rest-spread.
Expected behavior
Dependencies should use carets (e.g. ^7.6.2).
Alternatives
Yarn users are able to use things like Yarn resolutions but it's not ideal to have to resort to resolutions.
/cc @JounQin @johno
NMinhNguyen
All 15 comments
Based on our experience at @zeit not using pinned deps will lead to the package randomly breaking a lot.
timneutkens
on 12 Dec 2019
@timneutkens I think that pinning versions can give a false sense of security - e.g. all Babel deps use carets for their own deps, so you get non-deterministic installs with every new install without a lockfile anyway.
NMinhNguyen
on 12 Dec 2019
@NMinhNguyen it greatly reduces the vector of breakage though.
timneutkens
on 12 Dec 2019
@timneutkens Perhaps you could consider relaxing some common (and actively maintained and reliable) build tooling dependencies that aren鈥檛 really meant to be duplicated (like Babel)?
NMinhNguyen
on 12 Dec 2019
I'm not a fan of pining versions of depeendencies neither personally.
https://github.com/1stG/configs/blob/master/packages/renovate-config/package.json#L21
And I'm using https://github.com/atlassian/yarn-deduplicate on postinstall lifecycle to ensure correct dependencies.
JounQin
on 12 Dec 2019
@JounQin with the currently published packages, an older version of @babel/core gets installed because my other dependencies have a dependency on a later version of @babel/core (using a caret), so it鈥檚 unavoidable even with deduplication.
NMinhNguyen
on 13 Dec 2019
@JounQin with the currently published packages, an older version of
@babel/coregets installed because my other dependencies have a dependency on a later version of@babel/core(using a caret), so it鈥檚 unavoidable even with deduplication.
@NMinhNguyen You can try resolutions like https://github.com/mdx-js/eslint-mdx/blob/master/package.json#L46-L51 temporarily.
JounQin
on 13 Dec 2019
@JounQin yup, I actually reference Yarn resolutions in the issue description :)
NMinhNguyen
on 13 Dec 2019
@mdx-js/maintainers What do you think then?
JounQin
on 13 Dec 2019
@johno @wooorm Would you like to join this thread?
JounQin
on 27 Jan 2020
I don鈥檛 have an opinion on this. In my own projects, I prefer loose ranges, but I can see why this project would do it differently, and understand Tim鈥檚 view.
wooorm
on 27 Jan 2020
@wooorm Can you explain in details? IMO we should move all devDependencies inside workspaces into root package.json to reduce conflicts with yarn-deduplicate. And then we can run yarn workspace gatsby-example start for development.
JounQin
on 27 Jan 2020
I understand what you mean, but I don鈥檛 have an opinion on this (I personally dislike yarn, lerna, monorepo versioning).
As I don鈥檛 have an opinion on this, I trust Tim鈥檚 and John鈥檚 opinions.
wooorm
on 27 Jan 2020
none of these dependencies make it to the client since it's build tooling
@johno @wooorm As the issue's thread, this is not correct.
JounQin
on 28 Jan 2020
Dev dependencies are now at the root level. We will also be keeping pinned versions for now in order to avoid subtle bugs and upstream changes.
Thanks all!
johno
on 20 Jul 2020
Related issues
lourd
路
11Comments
ChristianMurphy
路
13Comments
AlmeroSteyn
路
32Comments
slorber
路
19Comments
tornordqvist
路
19Comments
Most helpful comment
@johno @wooorm As the issue's thread, this is not correct.