Add missing npm-shrinkwrap.json #422
Conversation
|
Doesn't this actually end up causing more problems than it solves though? For example, when we released a patch for cordova-lib 9.0.1, it was immediately available to everyone. With shrinkwrap we'd need to then make a new patch release of the CLI as well? |
|
@dpogue What you say is true, we would have to do an additional release. But I think it would be preferable to know exactly which dependencies a user's Cordova installation has. I find it quite irritating. That the bugs we had in I don't even know what upgrade instructions I should give a user. |
There was a problem hiding this comment.
👍 The idea that 9.0.0 can contain a bug but as well have been fixed in the same version may sound confusing to an end-users.
A drawback would be the fix release turn around time.
Using the same example, if cordova-lib@9.0.1 was released with a fix, we must wait for about 1 (discuss) + 2 (vote) days before it is publicly released. Adding the shrinkwrap will now increase this 2 to 3 days release time to 5 to 6 days as we must perform the same process for cordova-cli.
Note: the discussion doesn't seem to have a hard requirement to be 1 day but the template we have gives a grace period of 1 day to talk about the release before preparing.
This comment has been minimized.
This comment has been minimized.
|
Do we still need this PR since we ship a package-lock.json file? |
Yes. In fact Like discussed above, this would have the benefit of actually freezing a release and the drawback of increased bugfix turnaround time, given our release process |
|
As much as I don't like package lock & shrink-wrap files, this would probably have prevented issue #543. |
We had this file in Cordova 8 but must have missed it for the release of Cordova 9. As discussed before, this is important to make the release immutable.
This is a patch-level change