Git Product home page Git Product logo

Comments (3)

benmccann avatar benmccann commented on May 27, 2024 1

I understand that all the version ranges are satisfied in either case, so it isn't wrong per se, but it's an incredibly frustrating experience. We try to keep a minimal number of versions of each dependency in the lock file and it turns into a huge game of whackamole. If we try to update a single dependency, it updates three other random ones - and not all of them. We then have to update the old versions of those three in the lock file and it then updates another five other random ones leaving again the rest unchanged and so on for half a dozen rounds. It's not updating everything, which would probably minimize the number of versions in the file, but some small random subset.

from pnpm.

andenacitelli avatar andenacitelli commented on May 27, 2024

I'd be surprised if this is considered a bug. What's happening here is very likely that pnpm performs full dependency resolution whenever any dependencies are modified, and your dependency / semver ranges for other dependencies allow more recent versions for them.

For example, if you initially installed dependency x@1^.0.0 (meaning it's allowed to go 1.0.0 <= x < 2.0.0) and a new version [email protected] is pushed, x will be updated in the lock file to 1.1.0 if you make edits to any other dependency (such as npm i undici.

Best I'm aware, most other dependency managers act this way. The whole point of dependency ranges is so that you permit "automatic" updates within a given range. If you don't want them, pin your dependencies precisely, avoiding use of ~ and ^.

from pnpm.

tlstyer avatar tlstyer commented on May 27, 2024

How did you end up updating undici? I tried some stuff and the only way I could update it using pnpm was to delete the lockfile and node_modules (if it existed) and then install dependencies which, of course, generates a new lockfile.

I also noticed that the lockfile after the reproduction steps is identical to the lockfile after following those steps but replacing the last step with pnpm update asdfjklasdfjklasdkfjasldfj (a non-existent package). Maybe pnpm update <package> doesn't necessarily update a package if it isn't in package.json.

from pnpm.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.