mirror of
https://github.com/Llewellynvdm/nativefier.git
synced 2024-12-22 18:18:55 +00:00
Build: re-introduce a package-lock.json file
They were used a long time ago, then I scrapped them for simplicity to new contributors. I'm re-considering this and re-introducing one, for two (maybe three) reasons: 1. Reading on supply chain attacks 2. Build broken because of a dep change (see previous commit broken because of a change in yargs @ 17.1.0) (3.) Performance
This commit is contained in:
parent
fcc3906f52
commit
0fbe7d39cb
3
.github/CONTRIBUTING.md
vendored
3
.github/CONTRIBUTING.md
vendored
@ -20,9 +20,6 @@ We follow the [Airbnb Style Guide](https://github.com/airbnb/javascript), please
|
||||
The following commands might be helpful:
|
||||
|
||||
```bash
|
||||
# Run specs and lint
|
||||
npm run ci
|
||||
|
||||
# Run specs only
|
||||
npm run test
|
||||
|
||||
|
2
.github/workflows/ci.yml
vendored
2
.github/workflows/ci.yml
vendored
@ -33,7 +33,7 @@ jobs:
|
||||
with:
|
||||
node-version: ${{ matrix.node-version }}
|
||||
# Will also (through `prepare` hook): 1. install ./app, and 2. build
|
||||
- run: npm install --no-fund
|
||||
- run: npm ci --no-fund
|
||||
# Only run linter once, for faster CI. Align the versions of Node here with above and publish.yml.
|
||||
- if: matrix.platform == 'ubuntu-latest' && matrix.node-version == '16.x'
|
||||
run: npm run lint
|
||||
|
2
.github/workflows/publish.yml
vendored
2
.github/workflows/publish.yml
vendored
@ -15,7 +15,7 @@ jobs:
|
||||
node-version: '16.x'
|
||||
registry-url: 'https://registry.npmjs.org'
|
||||
# Will also (through `prepare` hook): 1. install ./app, and 2. build
|
||||
- run: npm install --no-fund
|
||||
- run: npm ci --no-fund
|
||||
- run: npm test
|
||||
- run: npm run lint
|
||||
- run: npm publish
|
||||
|
3
.gitignore
vendored
3
.gitignore
vendored
@ -1,9 +1,6 @@
|
||||
# OSX
|
||||
.DS_Store
|
||||
|
||||
# Node.js
|
||||
package-lock.json
|
||||
|
||||
# ignore compiled lib files
|
||||
lib*
|
||||
app/lib/*
|
||||
|
@ -6,7 +6,6 @@ src/
|
||||
*eslintrc.js
|
||||
*eslintrc.yml
|
||||
*tsconfig.tsbuildinfo
|
||||
*package-lock.json
|
||||
*tsconfig.json
|
||||
*jestSetupFiles*
|
||||
*-test.js
|
||||
|
28
HACKING.md
28
HACKING.md
@ -57,10 +57,10 @@ cd nativefier
|
||||
Install dependencies (for both the CLI and the Electron app):
|
||||
|
||||
```bash
|
||||
npm install
|
||||
npm ci
|
||||
```
|
||||
|
||||
The above `npm install` will build automatically (through the `prepare` hook).
|
||||
The above `npm ci` will build automatically (through the `prepare` hook).
|
||||
When you need to re-build Nativefier,
|
||||
|
||||
```bash
|
||||
@ -153,26 +153,14 @@ So: do upgrade CLI & App deps regularly! Our release script will remind you abou
|
||||
|
||||
### Deps lockfile
|
||||
|
||||
Although there are benefits to a package lock (reproducible builds, install speed),
|
||||
as of writing, Nativefier doesn't use one. We tried it, and removed it after seeing
|
||||
it confused novice devs sending PRs. They don't know how to manage it, they update
|
||||
the package.json but not the lock, it's a hassle, they get discouraged.
|
||||
We do use lockfiles (`package-lock.json` & `app/package-lock.json`), for:
|
||||
|
||||
At time of writing, maximizing simplicity and ease of contribution
|
||||
seems preferable over reproducible builds and install speed.
|
||||
1. Security (avoiding supply chain attacks)
|
||||
2. Reproducibility
|
||||
3. Performance
|
||||
|
||||
Also, practically, the npm ecosystem today is stable enough that non-reproducible
|
||||
builds never caused any trouble in years (zero issues/complaints related to it).
|
||||
Semantic versioning is well respected, our users get patch/minor upgrades,
|
||||
a build at time T1 works, and a different build at time T2 > T1 works too 🙂.
|
||||
|
||||
Finally, it's not a problem for distributions / user repositories wishing to
|
||||
provide reproducible builds, because if a repo (say, AUR) wants to make *their*
|
||||
build reproducible, they can: the packager can add a lockfile to their PKGBUILD
|
||||
associated files, and it will be reproducible for them.
|
||||
|
||||
This is of course debatable and may change in the future based on bugs,
|
||||
user feedback, or future maintainers preference.
|
||||
It means you might have to update these lockfiles when adding a dependency.
|
||||
`npm run relock` will help you with that.
|
||||
|
||||
### Release
|
||||
|
||||
|
@ -1 +0,0 @@
|
||||
package-lock=false
|
2178
app/package-lock.json
generated
Normal file
2178
app/package-lock.json
generated
Normal file
File diff suppressed because it is too large
Load Diff
14312
package-lock.json
generated
Normal file
14312
package-lock.json
generated
Normal file
File diff suppressed because it is too large
Load Diff
@ -36,14 +36,14 @@
|
||||
"build": "npm run clean && tsc --build shared src app && npm run build-app && npm run build-app-static",
|
||||
"build:watch": "npm run clean && tsc --build shared src app --watch",
|
||||
"changelog": "./.github/generate-changelog",
|
||||
"ci": "npm run lint && npm test",
|
||||
"clean": "rimraf coverage/ lib/ app/lib/ app/dist/ shared/lib",
|
||||
"clean:full": "npm run clean && rimraf app/node_modules/ node_modules/",
|
||||
"lint:fix": "cd src && eslint . --ext .ts --fix && cd ../shared && eslint src --ext .ts --fix && cd ../app && eslint src --ext .ts --fix",
|
||||
"lint:format": "prettier --write 'src/**/*.ts' 'app/src/**/*.ts' 'shared/src/**/*.ts'",
|
||||
"lint": "eslint shared app src --ext .ts",
|
||||
"list-outdated-deps": "npm out; cd app && npm out; true",
|
||||
"prepare": "cd app && npm install && cd .. && npm run build",
|
||||
"prepare": "cd app && npm ci && cd .. && npm run build",
|
||||
"relock": "rm -rf ./node_modules/ ./app/node_modules/ ./package-lock.json ./app/package-lock.json; npm install --package-lock --ignore-scripts && npm out; cd app && npm install --package-lock --ignore-scripts && npm out; cd .. && true",
|
||||
"test:integration": "jest --testRegex '.*integration-test.js'",
|
||||
"test:manual": "npm run build && ./.github/manual-test",
|
||||
"test:unit": "jest",
|
||||
@ -63,7 +63,7 @@
|
||||
"sanitize-filename": "^1.6.3",
|
||||
"source-map-support": "^0.5.19",
|
||||
"tmp": "^0.2.1",
|
||||
"yargs": "^17.0.1"
|
||||
"yargs": "17.0.1"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@types/debug": "^4.1.6",
|
||||
|
Loading…
Reference in New Issue
Block a user