-
Notifications
You must be signed in to change notification settings - Fork 239
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: Remove --depth from npm outdated #133
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is good, and we can discuss a bit more in today's RFC call. I think one thing to clarify is what exactly would show in each column.
Presenting some kind of proposal to chew on would be useful. It's especially confusing that "location" here is "the path in the dependency graph to the thing that depends on the node" and not "the location of the node".
I'd suggest each line could be:
Package
Name of the nodeCurrent
Node current versionWanted
Most up to date version that satisfies eachedgesIn
EdgeLatest
Latest version in the packumentLocation
Thenode.location
of the node (not the dependent)
And then group by each combination of wanted+location. So, you might see something like this, which is a little weird, but shows that the deduped package may have to get un-deduped:
Package Current Wanted Latest Location
bar 1.0.0 1.4.0 2.0.0 node_modules/bar
bar 1.0.0 2.0.0 4.0.0 node_modules/bar
## Rationale and Alternatives | ||
Since `npm update` will go ahead and update everything at any level, maybe there's no need to know in detail which nested dependencies are outdated and we could just show a message that certain top-level dependency has outdated deps. | ||
|
||
We could also remove all-together the functionality if people are not paying much attention to outdated nested deps, Yarn only displays top-level outdated packages. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would be worth adding a not here that "depth" doesn't have a clear meaning in the context of a dependency graph over a deduplicated tree, since the same node will often be reachable via multiple different dependency paths. (Ie, the same issue brought up in https://github.com/npm/rfcs/blob/latest/accepted/0019-remove-update-depth-option.md)
|
||
In this example, we only care about two versions of `tar`, `4.4.13` and `6.0.2`. Instead we are shown 4 lines of output. | ||
|
||
Moreover, npm v6 currently has inconsistent behavior. Doing `npm outdated --depth 9999` displays all outdated packages that are direct children of the root package, missing out dependencies that are nested at other levels. This gives a wrong impression since we are not really displaying _all_ outdated dependencies of the tree. However, doing `npm outdated foo --depth 9999`, will indeed display all appearances of `foo` on the tree no matter if they are direct children of the root package or not. This is precisely the functionality that displaying all deps should have too (`npm outdated` with no flags). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doing
npm outdated --depth 9999
displays all outdated packages that are direct children of the root package, missing out dependencies that are nested at other levels. This gives a wrong impression since we are not really displaying all outdated dependencies of the tree.
I don't think that's the case, unless I'm misreading this maybe? npm outdated --depth=9999
includes this output, for example:
log-update 3.4.0 3.4.0 4.0.0 npm-audit-report > tap > ink
log-update 3.4.0 3.4.0 4.0.0 npm-audit-report > tap > treport > ink
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think in that case that particular dependency is being deduped and is indeed a direct child of your root package, dependencies that are not deduped and are nested within their own dependant, do not seem to show up when doing only npm oudated --depth 9999
but DO show up when you do npm oudated --depth 9999 <packageName>
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm, it's not though. log-update
is a dependency of ink, and my package depends on tap, which depends on ink.
$ find node_modules -name log-update
node_modules/tap/node_modules/log-update
It is a good example of the fact that --depth
is pretty weird when talking about a dependency graph, though. It looks like I have two outdated versions of log-update
, when really they're the same dep node.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, correct. The thing is that log-update
is a direct child of tap
. So I misphrased that by saying the command shows only direct children of the root package when I meant to say that the v6 algorithm is iterating recursively over the node's direct children (on the file system) instead of over node.edgesOut
.
Try doing npm outdated --depth 9999 ansi-escapes
(basically any specific dep inside node_modules/tap/log-update/node_modules
) and you'll see they are not displayed when calling outdated without a package-name.
Using tree.inventory
and node.edgesIn
on v7 will definitely solve this problem and properly give us a complete list of all outdated packages.
The addition of |
Update from RFC call: Worth considering if we could make |
Definitely the ideal default for |
d544e60
to
b35e667
Compare
are there any breaking changes expected for the |
@ruyadorno No, the only thing to note is that the location info has changed and is now |
After continued discussion, removing this concern for now in lieu of better support for this via direct libraries. |
cc. @isaacs