lerna: Publish does not update package-lock
Expected Behavior
When doing a publish, the version number should not only be bumped in the package.json
but also in the package-lock.json
when available.
Current Behavior
The package-lock version does not get updated. This causes the version to be updated the next time an install is run creating an extra (useless) commit.
Possible Solution
package-lock.json
version number should be made equal to the package.json
version number when publishing.
Context
I’m doing a Lerna publish automatically. This pulls the latest version and publishes all of the packages to NPM. However, now I constantly have to create extra commits for the package-lock.
Your Environment
Executable | Version |
---|---|
lerna --version |
2.2.0 |
npm --version |
5.8.0 |
node --version |
8.11.1 |
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 16
- Comments: 26 (10 by maintainers)
Commits related to this issue
- chore: add script to update package-level package-lock.json See https://github.com/lerna/lerna/issues/1415#issuecomment-455790478 — committed to loopbackio/loopback-next by raymondfeng 5 years ago
- chore: add script to update package-level package-lock.json See https://github.com/lerna/lerna/issues/1415#issuecomment-455790478 — committed to loopbackio/loopback-next by raymondfeng 5 years ago
- chore: add script to update package-level package-lock.json See https://github.com/lerna/lerna/issues/1415#issuecomment-455790478 — committed to loopbackio/loopback-next by raymondfeng 5 years ago
- Try version approach from https://github.com/lerna/lerna/issues/1415#issuecomment-455790478 — committed to brophdawg11/vue-dummy-mono-repo by brophdawg11 5 years ago
- chore: fix leaf package-lock.json after lerna version bump Plus, add a hook so that this is taken care of automatically in future, see https://github.com/lerna/lerna/issues/1415#issuecomment-45579047... — committed to instana/nodejs by basti1302 5 years ago
- build: add version hook to update package.lock see https://github.com/lerna/lerna/issues/1415#issuecomment-455790478 — committed to svrxjs/svrx by xuchaoying 5 years ago
- 清除 package-lock.json 文件, lerna 不支持 https://github.com/lerna/lerna/issues/1415 — committed to qiu8310/serpent by qiu8310 5 years ago
- feat(svrx): first version of svrx (#2) * chore: first commit * build: add depency * v0.0.2 * build(npm): add test framewokr like mocha expect.js nyc etc * feat(svrx): add middleware basic... — committed to svrxjs/svrx by xuchaoying 5 years ago
- fix(version): Update lockfile version, if present Fixes #1998 Closes #2160 Refs #1415 — committed to lerna/lerna by evocateur 5 years ago
- chore: add script to update package-level package-lock.json See https://github.com/lerna/lerna/issues/1415#issuecomment-455790478 — committed to automateddecision/joblink-loopback-explorer by raymondfeng 5 years ago
- try fix from https://github.com/lerna/lerna/issues/1415 — committed to hoprnet/hoprnet by deleted user 4 years ago
- try fixing builds using new command: https://github.com/lerna/lerna/issues/1415#issuecomment-455790478 — committed to charkour/harmoniously by charkour 3 years ago
- chore: use lerna's lifecycle scripts to update package-lock.json I hope this works. After lerna has updated versions in `package.json` files, `npm install` should update them in the `package-lock.jso... — committed to genome-spy/genome-spy by tuner 3 years ago
- chore: add script to update package-level package-lock.json See https://github.com/lerna/lerna/issues/1415#issuecomment-455790478 — committed to speedytwenty/http-caching-proxy by raymondfeng 5 years ago
Edit 20/01/19
Fix
Add the following to the root
package.json
of your project:Explanation
lerna exec \"npm install --ignore-scripts --package-lock-only --no-audit\"
lerna exec "npm install"
overlerna bootstrap
is because thebootstrap
does not do what I expected… In my particular use-case I have a package in my project where thepackage.json
containspeerDependencis
, but nodependencies
ordevDependencies
. And, as it so turns out, if there are nodependencies
ordevDependencies
in a package’spackage.json
then thelerna bootstrap
does not trigger annpm install
and thepackage-lock.json
of that package does not have its version pumped (but itspackage.json
) does.package-lock.json
for a package with an emptydependencies
anddevDependencies
I had to manually perform annpm install
in the package’s root folder.package-lock.json
for my package with an emptydependencies
anddevDependencies
for consistency, and because I may well havedependencies
/devDependencies
in this package in future.My work around …
Fix
Add the following to the root
package.json
of your project:Explanation
When the
lerna publish
command is executed theversion
run-script is invoked bylerna
“AFTER bumping the package version, but BEFORE commit”. So, breaking down the above run-script:lerna clean --yes
node_modules
folder is present during the installation of a package’s dependencies then the version that package’spackage-lock.json
will not be updated bynpm
. I claim as much based on trial and error.lerna publish
) I do not expect there to be anode_modules
present for any of my project’s packages. However, it does no harm to be explicit.lerna bootstrap --ignore-scripts -- --package-lock-only --no-audit
lerna bootstrap
overlerna exec "npm install"
is because that is what thebootstrap
command is for.--ignore-scripts
option is because I usepreinstall
&postinstall
in my project’s rootpackage.json
and, for my particularlerna publish
workflow, I do not care to have those run-scripts get triggered.--ignore-scripts
option before the--
is to instruct bothbootstrap
andnpm
to not execute any run-scripts.--package-lock-only
“argument will only update thepackage-lock.json
, instead of checkingnode_modules
and downloading dependencies”.--no-audit
again, another time saver. I really just want to bump the version in the package’spackage-lock.json
.git add packages/*/package-lock.json
packages/
.*
inpackages/*/package-lock.json
means thegit add
will only match on thepackage-lock.json
file that is in a folder one-level down. Again, something that makes sense for my project.Possible PR?
The need for a
git add
at all is due to the following lines (fromlerna
source code,commands/version/index.js
):The logic of the
version
command forlerna
will; 1. compile a list of files that are to be included with the tag commit, 2. execute whateverversion
run-script you might have in your project’s rootpackage.json
, and 3. execute thegit add
part of the tag commit.In other words, it’s not enough that
lerna bootstrap --ignore-scripts -- --package-lock-only --no-audit
would have updated thepackage-lock.json
becauselerna
would have already decided on what files to stage for the tag commit. Hence why I includegit add packages/*/package-lock.json
– to ensure thepackage-lock.json
is added to the tag commit.Conclusions
Apologies for the monologue. This issue has been raised more than once (#925). Hopefully my input is helpful to some.
I did think about a PR to have the
git add
part of the tag commit be moved to after theversion
run-script has been invoked. But I don’t know enough aboutlerna
’s source code to know if such a change would have unwanted side-effects.I’m not asking whether there is a reason for you not to, I’m asking in general. One of the pros of open source is that you don’t have to be solely responsible for developing the software. If you agree with the approach I could try taking a look at implementing it when I have some time to help you out.
Op 8 mei 2018 9:29 p.m. schreef Daniel Stockman notifications@github.com:
Is there any reason not to?
For lerna 2.x, it’s because I don’t want to deal with that old codebase anymore.
For lerna 3.x (current master), it’s a bandwidth issue. I’m only one person, and I have a day-job.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/lerna/lerna/issues/1415#issuecomment-387515560, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AD90FBxX7aaoyqwSsHbhq9SokeBfeKtSks5twfIKgaJpZM4T2Len.
This approach won’t work when a leaf package is going to be built into a Docker image. The
docker build
process won’t follow symlinks, and thefile:///
specifiers won’t resolve unless the local dependencies are copied into the build context.I’m not requesting a fix, only giving this example if anyone runs into the same issue I’m having. I realize it’s not within the scope of this project to support docker builds.
I’m using relative file specifiers in
modular-css
, but I’ve still gotdependencies
in all my packages because I can’t hoist those to the root. Lerna looks to be doing the same thing?https://github.com/lerna/lerna/blob/f674f354f0260c57d885c181e16c9ce23ac252a8/commands/diff/package.json#L38
So I still don’t get how you get around having leaf node
package-lock.json
files. I’ve got one in the root for all mydevDependencies
just like lerna, but that doesn’t help w/ anything inpackages/
does it?Would definitely love to know how I could improve my setup or workflow for using
lerna@3
inmodular-css
so I appreciate any wisdom you can share!Relative file: specifiers, just like the lerna source. It’s a unified package-lock for the entire tree, no bootstrap required.
(I really need to document this pattern, I feel like I’ve repeated myself about eleventy-billion times over the past six months)
@trippingtarballs The
git add
in your custom lifecycle script is perfectly appropriate. Just because you’re using Lerna doesn’t mean Lerna must do all the work.