Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pin dependency versions on release #6326

Open
mattrunyon opened this issue May 3, 2024 · 3 comments
Open

Pin dependency versions on release #6326

mattrunyon opened this issue May 3, 2024 · 3 comments

Comments

@mattrunyon
Copy link

Provide a general summary of the feature here

@adobe/react-spectrum package lists dependencies on the other spectrum packages with ^x.y.z notation. This means installing a specific version of @adobe/react-spectrum does not provide a consistent install every time and there are dozens of dependencies which can change. It also makes it tedious to downgrade if needed.

🤔 Expected Behavior?

npm install @adobe/react-spectrum@x.y.z in a fresh results in the same package-lock and always uses the same versions of all adobe packages.

😯 Current Behavior

The install will end up with the wrapper package downgraded, but all the other spectrum packages at their latest version within the same major version.

💁 Possible Solution

Pin the versions on release so the distributed package.json files do not list ^x.y.z as the versions

🔦 Context

#6241 fixes an issue with combobox, but has not been released yet. We discovered this after upgrading our package-lock.json. Downgrading @adobe/react-spectrum or installing a specific version does not work around the issue because the @react-aria/overlays package is the offender and a dependency several levels down. We had to add 11 overrides just to get that version pinned properly since package-lock.json had updated all of the previous versions and the newer versions are valid according to the older version's version ranges.

- @adobe/react-spectrum 3.33.1
  - @react-spectrum/combobox ^3.12.1(3.12.3 previously installed and doesn't downgrade)
    - @react-aria/combobox (uses @react-spectrum/combobox 3.12.3 version minimum, not 3.12.1)
      - @react-aria/overlays (the package we need to downgrade. Also need to downgrade everything that consumes it to prevent newer versions since the parent has a higher minimum version listed)

💻 Examples

No response

🧢 Your Company/Team

No response

🕷 Tracking Issue

No response
@JamesXNelson
Copy link

I believe pinning these versions would also reduce gradle-related build errors from npm shifting dependencies.

+1

@snowystinger
Copy link
Member

related RFC https://github.com/adobe/react-spectrum/blob/main/rfcs/2019-v3-versioning.md

@devongovett
Copy link
Member

The problem with pinning is that it's really easy to get duplicate copies of packages. If an app depends on one version of RSP, and it uses libraries with shared components that depend on another, the shared dependencies will currently be deduplicated, resolving to the highest compatible semver version. If RSP pinned its dependencies, this would no longer happen, and you'd get multiple different versions of the shared dependencies. This can cause problems like context not matching resulting in runtime errors, along with larger bundle sizes. I believe we tried this approach early in the life of v3, and switched to caret ranges due to these issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@devongovett @snowystinger @JamesXNelson @mattrunyon