Upgrade npm to version 5.0.3 (take 2) #8835
Conversation
Note that this version no longer corresponds exactly to the current Node version, which is perfectly fine, yet ever so slightly disappointing.
Part of #8728 (Release 1.6).
Based on this warning: npm ERR! As of npm@5, the npm cache self-heals from corruption issues and npm ERR! data extracted from the cache is guaranteed to be valid. If you npm ERR! want to make sure everything is consistent, use 'npm cache npm ERR! verify' instead. npm ERR! npm ERR! If you're sure you want to delete the entire cache, rerun this npm ERR! command with --force.
This was preventing `node-gyp` from installing the Node header files on Windows and was the reason that `minimatch` was not being found, as seen in #8831. The `minimatch` module was present, but it was just in `dev_bundle/lib`, not in `dev_bundle/lib/node_modules/npm/node_modules`. This expecation may have been expected from older versions of npm but is no longer the case. This replicates the behavior of the Unix `generate_dev_bundle.sh` script, which also does not nest `node-gyp`. /cc @benjamn
Much in the same way as these were changed from v3 to v4, they have been changed again!
The new version of npm no longer tolerates stray packages in node_modules that are not mentioned in package.json, such as node_modules/repl.
benjamn
force-pushed
the
upgrade-to-npm-5
branch
from
08f9bd6
to
0ca9794
Compare
benjamn
force-pushed
the
upgrade-to-npm-5
branch
2 times, most recently
from
3405547
to
fd6e0f4
Compare
If a package has a semantic (x.y.z) version in npm-shrinkwrap.json, npm appears to install it always from the npm registry, rather than the original tarball URL (uncommon but used by the less and stylus Meteor packages, among others).
benjamn
force-pushed
the
upgrade-to-npm-5
branch
2 times, most recently
from
ef1f026
to
214a972
Compare
|
I have to admit I'm pretty baffled by the persistence of these test failures, as I can't imagine why the changes in this PR would affect the timing of those particular self-tests. |
|
@benjamn duplicate extension test of circleci Build 4351 (container 1) seems to be failing because of this line:
this line
I suspect the output of the Sandbox has changed in the meantime? I was not able to test this so I'm guessing and would expect changing the test matching line
To
Might not fail the test. But I guess you might know better :-) |
|
@benjamn @abernix While looking at the Might this be related to the failed tests we are seeing? |
|
@hexagon6 Thanks for looking into the test failures. As you can see, often the timing of tests, and the specific order of output, are the root causes of the failures (especially the sporadic ones). That |
This PR takes the place of #8831, which was prematurely merged and closed by @benjamn.
This is a major update from npm 4.6.1, and should bring significant benefits in terms of speed and reproducibility of
npm installs. Read the blog post for an introduction to those benefits.To understand npm's new
package-lock.jsonfile format, I would highly recommend reading this documentation. Note especially thatnpm-shrinkwrap.jsonfiles are exactly the same aspackage-lock.jsonfiles, except thatpackage-lock.jsonfiles cannot be published to npm.For backwards compatibility, Meteor still works with
npm-shrinkwrap.jsonfiles internally (for example, to manageNpm.depends-style dependencies), but that's perfectly fine becausenpm-shrinkwrap.jsonfiles have the same meaning aspackage-lock.jsonfiles. The distinction about publishing is moot because Meteor packages are not published to npm.For application developers using
meteor npmin their own apps, this update is a great opportunity to revisit your workflows to see if you can make better use of the newnpmversion. In particular, if you've been usingyarn(ormeteor yarn), you might consider switching back tometeor npm, sincepackage-lock.jsonfiles are directly inspired byyarn.lockfiles.Meteor remains completely agnostic about how you populate the
node_modulesdirectory in your application, so you shouldn't have to change your workflows at all if you don't want to. However, this new version ofnpmis a pretty big leap forward, so with any luck it will make your dependency management a little bit faster and more reliable.