Verify transitive dependencies

[mweststrate]

Currently, relative packages are not installed through yarn / npm, but simply extracted. While in general that works great, it might cause issues if there are differences between the transitive dependencies of the local package, and the published one. It would be great to detect and fix that.

[rifler]

npm supports installing tarball, so we can run install here - https://github.com/mweststrate/relative-deps/blob/master/index.js#L150

[mweststrate]

Yeah, biggest problem is that it makes the process very slow. So for development purposes it is not really suitable imho. But probably we could do something smart, like install from tarball only if package.json changed or something. Op ma 15 jul. 2019 21:56 schreef Dmitrii Kanatnikov < [email protected]>:

…

npm supports installing tarball, so we can run install here - https://github.com/mweststrate/relative-deps/blob/master/index.js#L150 — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#6?email_source=notifications&email_token=AAN4NBB3323BAEWCKXMM7VLP7TI5NA5CNFSM4H2YU4G2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZ6ZFRI#issuecomment-511546053>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAN4NBC2IO3ESC6NK7EUA53P7TI5NANCNFSM4H2YU4GQ> .

[rifler]

So for development purposes it is not really suitable imho

Most often yes, but what if package has deps that cannot be deduped?

node_modules
  lodash@3
  relative-dep
    node_modules
      lodash@2

I don't know how often does this happen. I suppose that for UI lib it is not good to have deps (better to have peerDeps and devDeps for tests), but for server lib it is quite normal situation. Maybe I am wrong

[mweststrate]

I think this can be quite simply supported: on first install / changed package.json do a normal npm install of the tarball. On incremental installs, remove everything but the node_modules and update from the tarball.

…

On Tue, Jul 16, 2019 at 11:28 AM Dmitrii Kanatnikov < ***@***.***> wrote: So for development purposes it is not really suitable imho Most often yes, but what if package has deps that cannot be deduped? node_modules ***@***.*** relative-dep node_modules ***@***.*** I don't know how often does this happen. I suppose that for UI lib it is not good to have deps (better to have peerDeps and devDeps for tests), but for server lib it is quite normal situation. Maybe I am wrong — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#6?email_source=notifications&email_token=AAN4NBENRBL5YSROX3ABUH3P7WIEPA5CNFSM4H2YU4G2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2AIUAA#issuecomment-511740416>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAN4NBEPCNFJF525WOLLSI3P7WIEPANCNFSM4H2YU4GQ> .