-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature] Allow opting-out of vendoring berry's files #969
Comments
Although doable, I would prefer to avoid downloading binaries from remote sources on commands that aren't supposed to have anything to do with the network (such as I know that a few people from the Node project have toyed with the idea "what if Node didn't ship with any package manager", or "what if Node shipped with a package manager installer" rather than just npm. Maybe it would be the right time to start a discussion to see how we could make it easier for everyone to manage multiple package manager versions? |
One day, the npm registry will be gone forever, and then most of my projects using Yarn will become unusable. I guess that's a risk I willing to take, as I don't vendor my npm dependencies and use Yarn to download them for me. But I see your point regarding the security aspect. Maybe limit the proposed behaviour to
I couldn't agree more, that would be awesome! But Berry would probably keep its "per-project" install policy though, right? |
Yes. But depending on how this package manager installer would work, it could be the right place to store this "install on execution" logic. For example, let's say that (very basic proposal I just came up with, refine it at will):
By doing something like this, we would solve many problems at once:
|
While we’re waiting for such a
Similarly to your above proposal, when there’s a configured Yarn version that hasn’t been downloaded yet,
It could download Yarn from the registry—and if the registry is hit by a bus, even a vendored Yarn probably isn’t going to be too useful. 🙂 In any case, this would of course be an opt-in mechanism for projects willing to accept the risk of relying on external dependencies. |
Right, but I'm not sure Yarn core is the right layer to implement this (similar to how Node doesn't implement
It does. For example, none of my companies will bat an eye when the registry will die (or even regularly goes down, like it did twice these past weeks), because we don't rely on it for our deployments. Something something offline mirrors / check-in your cache 🙂 |
It might not be technically ideal, but the reason I think this belongs in Yarn core is that, from the perspective of a project considering adopting Yarn 2, it’d be a lot more palatable to ask developers to upgrade their global
I understand that some projects will be comfortable vendoring Node users can get by without |
I conceptually agree but I personally don't have time to invest into developing this tool at the moment, so that's something that someone else will have to take ownership of. I'd encourage you to go ahead and build a prototype of the specs I outlined outside of the Yarn repository (something that can be quickly installed with |
For the CLI you can use corepack https://github.com/nodejs/corepack. Uninstall yarn, run |
I have written the tool that works almost the way the topic starter @aduh95 described, it computes and stores URL of the Yarn 2 bundle and URLs of official plugins in a JSON file |
This comment has been minimized.
This comment has been minimized.
Now that Node.js ships with Corepack and Yarn 4 will prefer it over |
Yep, I’ve been using Corepack for some time now, and it does fulfill my use case. Hopefully rest of the ecosystem will adopt it swiftly too! |
Note that corepack currently lacks the integrity hash protection for downloading Yarn that Yarn itself uses for downloading other packages, so a compromised proxy server could potentially tamper with the download. Until that’s addressed, be aware that you may not be getting the security guarantees you expect. (Edit: this is marked “closed”, but integrity is still not protected in typical usage; see nodejs/corepack#134 (comment).) |
Plugins such as |
It's already the case in 4.0, currently RC. All core plugins are distributed by default. |
I cannot find any info regarding a v4 release candidate in the releases. Is there a planned release date? That being said, I would also like to avoid checking in third party plugins. |
I'm aware of pinned issue #3591, however I was not able to find an estimated release date. Did I miss it? |
Ah, I misunderstood you comment; no planned release / whenever it's ready. yarn set version canary |
IdeaInstead of committing the raw yarn executable code into my repository, i'd prefer a canonical way, e.g. adding a Advantages
Now i'd only need a repository that i could link to that contains the |
Describe the user story
I am a Yarn user, I have run
yarn set version berry
on my repo. Now I would like not to commit.yarn/releases
; it's not my code, I am not confortable having it on my CVS; also, upgrading to a new version produces huge diffs.One of the reason I am using Yarn, it is to avoid storing vendor files; I feel forcing users to vendor is not the way to go.
Describe the solution you'd like
We could imagine
yarn set version xx
keeps the actual version number on the.yarnrc.yml
; when runningyarn
, it will first check if theyarnPath
file exists, and if not, checks if ayarnVersion
is defined and download it from the network. Note that it doesn't change anything for projects that vendor the file, while providing an easy opt-out (adding.yarn/
to.gitignore
).Describe the drawbacks of your solution
Besides the debat vendoring vs using a package manager, I can't think of any.
Describe alternatives you've considered
Put the
.yarn
folder and the.yarnrc.yml
to my.gitignore
and put a note on the Getting Started section of the README to runyarn set version berry
...The text was updated successfully, but these errors were encountered: