-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update package-lock to v2 #29097
Update package-lock to v2 #29097
Conversation
The current We already have a |
Because the guideline that was discussed a long time ago was not to rely on a specific version but to use the latest npm version always. That said, that guideline doesn't make sense to me though :P, it's better if the project defines what npm version it supports explicitly. |
That was fine while the latest versions were patch releases in the 6.x.x line. Now it means a spontaneous and uncontrolled upgrade to v7 🙂 |
Quoting #28834 (comment)
I'll try rebasing this PR to restart tests. |
Seems like we agree overall that we shouldn't depend on "latest available npm" @noahtallen @jsnajdr @youknowriad, for aforementioned reasons. Let's use either the |
dd1b99e
to
0b32b8e
Compare
Sounds good. I guess we just need to make sure that |
@kevin940726 filed a PR to that effect: #29204 👏 |
I'll close this out then :) |
I was trying to install a dependency the other day. I was using
[email protected]
, andnpm install
was generating wild changes to the lockfile. (See the modifications to the lock-file in this PR, which are massive.) It looks like npm is updating the file format (https://docs.npmjs.com/cli/v7/configuring-npm/package-lock-json#lockfileversion), and npm 7 switches it automatically.Gutenberg has a precommit check which requires us to use the latest npm version. However, it seems like the project is assuming npm 6 everywhere else. For example, CI runs with npm 6, and node LTS installs npm 6 by default. This isn't compatible with our precommit check, which requires package-lock changes to be committed with npm v7. I think this is creating some issues in the static CI checks.
I wanted to start a conversation about this: do we commit to npm 7 now, and update the package lock, or should we change our local tooling to require npm 6 and not npm 7?