/blog /JavaScript
If you are front-end developer dealing with single page applications you probably know that JavaScript ecosystem is not perfect at all. A few things may go wrong and break your build. In this article I’ll go through those features . Features which are, by my humble opinion, problematic.
Semantic versioning is a way to describe what is our release about. It’s a version number that by specification has three groups – Major.Minor.Patch. While we write a module and publish it on npm (Node.js’s package manager) we use semantic versioning to say what we’ve changed.
We have these simple rules and we have to follow them so we provide a sane updates of our work. Especially today, where most of the complex JavaScript apps are house of cards this is really important. We have lots of dependencies and these dependencies have their own dependencies and so on.
Here is what currently broke our build:
Our project has the following dependencies in its package.json
file:
{
"devDependencies": {
"browserify": "~13.0.0",
"karma-browserify": "~5.0.1"
}
}
It was fine for months. We run npm install
lots of times locally and on our servers. However, a new version of browserify
was published. Nothing big, just a patch release and the new one became 13.0.1
. Then we suddenly started getting builds failures. We didn’t change anything, it was working in the morning and it didn’t after lunch. The error that appeared in the terminal was:
error code EPEERINVALID
error peerinvalid The package browserify@13.0.1 does not satisfy its siblings' peerDependencies requirements!
error peerinvalid Peer karma-browserify@5.0.4 wants browserify@>=10.0.0 <=13.0.0
The message is pretty clear. We opened the package.json
file of karma-browserify
and we found:
"devDependencies": {
"browserify": "^13.0.0",
...
},
"peerDependencies": {
"browserify": ">=10.0.0 <=13.0.0",
...
}
And because we used ~13.0.0
we got 13.0.1
which is not satisfying >=10.0.0 <=13.0.0
requirement. The fix from our side was to use a strict version ( 13.0.0
) of browserify or quickly use strict version of karma-browserify ( 5.0.5
) where the issue is resolved by bumping the peer dependency to ">=10 <14"
.
And here I started thinking that the flexibility of npm’s semver and semver ranges are not always a good thing. To be honest I don’t like using ~
or ^
or versions like 2.3.x
. I prefer relying on specific versions. I see the points of having these features which are around the idea that we can get fixes and improvements almost for free. We don’t have to update our package.json
file. We get the latest and the greatest version of our dependency without explicitly asking for it. Well, we all know that that’s not the case. I ended up with the following conclusions:
npm install
is definitely not a pure-ish process. npm
as a tool is awesome. Don’t get me wrong. I like it and I use it every day. However, there are some areas which need tweaking and features that are bringing more problems then solving.
The issue above was caused by peer dependencies definition in karma-browserify
. The peerDependencies
property allows us to specify modules that our library depends on. It’s widely used in the cases where we have a tool and plugins to it. The plugins obviously work with specific version of the host package. The idea is not bad but:
build
script). >=10.0.0 <=13.0.0
good approach? Without a super clear roadmap of the main module how you know that your plugin is compatible with version 12 for example. That’s a very big assumption. Post-install scripts are handy when we want performing an action after our module is downloaded on the client’s machine. It’s very often used for compiling native libs or producing transpiled code. There are modules that depend on C++ binaries and the most common approach is to get the source code and compile it once it is downloaded. My problem here is that the process is slow and it needs some additional stuff installed on the client machine. Locally it’s probably fine because we have power and root access but what about virtual machines or development servers where we have limited resources. It simply takes time.
Instead of compiling C++ code I would suggest to download the binary from a trusted source. Like it’s done in phantomjs-prebuilt
package here . It may take few minutes but it’s just downloading, not compiling.
I was using Windows before and sometimes when I wanted to delete the node_modules
folder I wasn’t able to do it. The reason was because the file path was so long that Windows can’t handle it . Lot’s of folders nested into each other. That’s because we tend to create separate modules for every small task which leads to deep nesting. We saw what happen with thekik package drama. And to be honest the problem is not in NPM. It’s us, the developers. We got this decision, not NPM. The giant net of packages that we use as a base for our applications is not stable anymore.
I have few ideas that are floating in my mind:
.npmignore
and stop publishing files that are not needed. This will speed up the npm install
command. P.S. We should mention npm-shrinkwrap here. It helps us to lock down the versions of the dependencies. When our system is in a stable state we run the command and it outputs a npm-shrinkwrap.json
file that contains the exact module versions installed. Later during npm install
the manager uses this file knowing the exact versions of the dependencies. Kind of solves the problems with semver variations.
转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » Thoughts on semantic versioning, npm and JavaScript ecosystem as a whole