chore(deps): pin dependency in-publish to v2.0.0 - autoclosed #528
Conversation
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
|
Wait, do we want this? 🤔 We have a I know that there was some discussion about this earlier 🤔 will try and find... |
|
I'm not sure why it is putting this in when it isn't putting it there for others. I will have to investigate. |
|
here it is: commitizen/cz-conventional-changelog-default-export#4 (comment) I think we should the configuration to stop pining to specific version. What do you think @jimthedev? |
|
Aha, this is probably why. I really wish that this wasn't the default behavior since all apps really should have a Wait, actually... 🤔 The default value of Although that property talks about a https://renovatebot.com/docs/configuration-options/#rangestrategy |
|
@rarkins How would you feel about a strategy that works like this?
I think that this would be a better approach than the current Basically with the same motivation as our discussion here: commitizen/cz-conventional-changelog-default-export#4 (comment) |
|
How would you update your lock file and how often? Ie to keep up with bug fixes |
|
FYI current “auto” behaviour widens any complex OR range as you suggest. The “config:base” preset by default will widen all peer dependencies. Eg if you had ^3.1.0 then it will become “^3.1.0 || ^4.0.0”. I think this makes more sense than changing from 3.x to 4.x only if 3.x still works. |
|
Renovate without presets (ie tool defaults) will use strategy “replace” for all ranges including complex. If you set to “auto” then it always pins devDependencies and pins dependencies only if it detects an app. I’m open to an additional rangeStrategy option “pinNotLocked” or “autoPinNotLocked” that means “ auto detect pin only if no lock file present” but I don’t think that should replace the current behaviour of “auto” |
Would potentially be cool to make a PR as soon as any dependency en the entire package-lock.json file is updated 😄 That would actually tie in quite nicely into the next thing... I think that in a lib you don't really want to update your dependencies, just for the sake of it. If you go after the principle that you should release change on master as soon as possible (which I really think that one should), that would most often mean that as soon as any of your dependencies have a new version, you will also have a new version. With the number of packages that one package can depend on, I don't think that would scale well at all, and it's completely unnecessary since what you want to do is bump the number in your lockfile. Basically, my dream scenario is: Every package uses Every package have a Whenever any dependency in the Whenever any dependency in the If an issue is discovered in the package, which is because of an outdated dependency, a PR should be made that bumps that version This approach is the only one that tests each and every smallest unit of change to your code with CI. Whenever any package used, both directly and indirectly, by your package is changed, you will immediately know and the tests will run with that change. In my opinion, pinning the dependencies is never the right answer, since it will at best only solve a small subset of the potential problems. Worse, it could actually prevent users of your library from getting important bugfixes in downstream dependencies. The more I think about it, I really like this approach. Another great benefit is that as soon as I as a library author releases a new version of my library, every other package that uses that will run their CI. With this in place, we could reverse the flow and automatically open an issue on the library if, say, more than 3 other packages CI broke because of that release. Before we couldn't do that since every CI run had potentially tons of packages changed between them. But bumping every dep in package-lock.json would allow us to know exactly what version of what library that broke the build. |
|
I think that this works around another problem: the excessive bumping of packages whenever a dependency has a new version. Your package should specify which versions that your package works with in the As a library author, I think we should be generous with our ranges since that will make it easier for dedupe to happen. Our users can get these upgrades by bumping their As usual I'm just rambling on about this 😄 |
|
Actually I had a similar idea but was mostly just waiting for someone to ask for it. I hadn’t thought about the benefits to library authors about not bumping releases though, which is an excellent point. The idea was to have a new rangeStrategy=update-lockfile and it behaves pretty similarly to current except it leaves ranges in package.json and updates the lock file “deliberately” instead once it detects a new version of a direct dependency. Sounds like what you’re after, so now I have a reason to implement :) |
|
Awesome! |
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pin-dependencies
branch
from
df17666 to
f0042aa
Compare
renovate
bot
force-pushed
the
renovate/pin-dependencies
branch
from
f0042aa to
4c94554
Compare
renovate
bot
changed the title
This Pull Request updates dependency in-publish from
^2.0.0tov2.0.0This PR has been generated by Renovate Bot.