-   Notifications  You must be signed in to change notification settings 
- Fork 3.8k
fix: prune optional peer dependencies that are no longer explicitly depended on #8431
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
7127150 to efd74f7   Compare   | so the Windows tests are failing because my new test results in a request for the  I've kept the adding of the tgz file in case that will be useful - I'm also not sure why this fails only on Windows 😕 | 
| 
 Yeah this is a GOOD thing cause answering this question will help us know if this PR is right. | 
| @wraithgar so I've spent a few hours trying to dig into this without much luck, though I'm still pretty sure the failure is about the test setup rather than the fix being wrong - if I revert the fix, then all the tests fail with the same kind of error though there's more of them because it's resolving about 20 more packages. I think the issue is something on the lines of dependencies (not) being cached - the error gets raised when calling this: cli/workspaces/arborist/lib/arborist/reify.js Lines 799 to 803 in c457c75 
 I also feel like when I revert the fix, the Windows test fail about different packages e.g. it complains about  I don't think I'll be able to dig into this much further by myself I'm afraid as I've not found any solid difference between Windows and Linux 😞 | 
| @wraithgar I've got the tests passing in a manner that you might not be too impressed by, but that I think at least shows the issue isn't with my change | 
| The workaround is very intentional and well commented. It's always these one-line tweaks that get so far off the rails when it comes to testing. Thank you for seeing this through. | 
| It's possible the mock npm fixture has a quirk in windows with this caching but fixing that is way outside the scope of this PR. | 
| Is there a chance of this getting backported? | 
| @lkraav we typically don't actively do backports but this would probably be something we would consider if a PR was made against the v10 branch | 
| I have opened #8449 backporting this, unfortunately CI for Linux and macOS is failing - since (ironically) Windows is passing, I'm guessing it's cache related and I wasn't able to figure out the root cause for this PR. My very hacky work for exploring this is in https://github.com/G-Rath/cli/tree/prune-optional-peer2 if someone wants to have a crack at digging further - I'm not sure if I'll have the time this week | 
| Hey @G-Rath , I'm pretty sure this change broke our CI. I don't think this is a desirable way to fix the linked issue because with this change, it is no longer possible to install a peer optional dependency that isn't tracked as a dependency. This seems like a regression. Can we revert this change? Context: I maintain the mongodb pacakge, which has a number of peer optional dependencies. Some of these are native packages with native addons. One of these dependencies (kerberos) doesn't support the full platform matrix that the mongodb package supports. So we don't track it as a dependency because if we did  | 
| Suppose my package A depends on package B which peer-depends on package C which optionally depends on package D. This change causes D to be removed from package-lock.json and node_modules. That doesn't seem correct. D should still be installed. I think this PR has conflated the concept of optional peer dependencies with the concepts of peer dependencies + optional dependencies. | 
| This change broke my CI as well where I verify that npm generates no diff in the lockfile. With v11.4.2 such optional peer dependencies were present in the lockfile, but since v11.5.0, they are now absent. The change is fine in itself I guess, but I wonder if npm could better communicate such lockfile-breaking changes better. | 
| Yeah, this change should be reverted or revisited. We tried upgrading our repos to npm 11.5.x, and this broke  | 
| A potential forward fix is hinted at by this comment, as well as #8489: 
 I.e. it sounds like the ideal tree is incorrect, and so these deps end up getting pruned. If we can fix the ideal tree, then this PR may not actually be problematic. | 
| I think there is still some bug that causes unstable lockfile content for optional peer dependencies. I don't think it's related to platform-specific dependencies, seen it with any kind of optional peer dependencies. | 
| 
 Your workaround didn't work for me running tests locally. I avoided network by adding the dep to fixture  | 
| @G-Rath my current leaning is to revert this change. I think it is correct, and a good change, but the side effects of other bugs have made this a pretty wide-reaching breaking change for folks. Since the flag fixes are pretty deep internals, I'm not confident we can get a fix for how peer/optional flags flow through the system working correctly quickly. I know that would be disappointing - do you have thoughts about that or alternatives? | 
| @owlstronaut if you think that's best, then go for it - frankly, not meaning to be rude but what would be most disappointing about that is I don't expect it'll get prioritized anytime soon given the original issue (like some of my others) was open for 2+ years with seemingly next to no maintainer discussion or indication that it had been considered for trying to address 🙃 I would be interested in knowing if you're saying this primarily because of the feedback in this repo or if you've also received other feedback elsewhere (such as from enterprise folks). | 
| As of #8579 it looks like we are not going to have to revert this. Huge thanks to @owlstronaut for tracking down the last step here to fix the bugs this fix surfaced. It can be frustrating when this happens, and it does happen more often with projects like npm that have some complex stuff in it that has grown organically over time and has a LOT of users. Huge thanks to @G-Rath for the initial PR that started us down this road to getting things fixed. Thanks also to @liamcmitchell and @jenseng for helping with triaging, suggesting fixes, and testing things on their end. Looking forward to landing that other PR and moving forward, not backward. | 
- reverts pruning added in #8431, which incorrectly prunes deps flagged as `peer` and `optional` - these flags don't mean that this node is an optional peer! - reverts much of #8579, which I think mistakenly changed peer dep calculation logic - rewrites calcDepFlags - adds logic to avoid unsetting `extraneous` when following optional peer edges (how #8431, should have been fixed) - updates my prev fix to avoid looking for missing optional peer deps (`if ((!edge.to && edge.type !== 'peerOptional') || !edge.valid) {`) - refactors dep flag unsetting and resetting into Node methods - removes `shake out Link target timing issue` test, which was testing code [removed](2db6c08#diff-6778dbd4bbfddaeb827a8d2aa7248d4c9b329229f69e407d5fd487abe16dd942L333) a while back - avoids omitting flaky`selflink` fixture when writing snapshots Fixes #8535



Currently optional peer dependencies are retained so long as at least one package in the tree has them as an optional peer dependency, meaning once added they become non-optional even though
npmdoes actually seem to mark such dependencies.To resolve this, I've modified the pruning logic to check for nodes that are both
optionalandpeer, in addition toextraneousnodes.References
Resolves #4737