One of our apps (my-app) dependencies is an npm lib we publish to npm (my-lib).
name: my-app;
version: <my-app-version>
dependencies: {
my-lib: <my-lib-version>
}
As a company we are committed to support the current version and 1 older version.
my-app 1.0.0 depends on my-lib 1.0.0
name: my-app;
version: 1.0.0
dependencies: {
my-lib: 1.0.0
}
my-app 2.0.0 depends on latest my-lib which is 3.1.0
name: my-app;
version: 2.0.0
dependencies: {
my-lib: 3.1.0
}
We have a bug in my-lib which we must fix for both.
The easy thing to do would be fixing in 3.1.0,
but my-app 1.0.0 can't adopt 3.1.0 as it introduces breaking changes, and must stay in version 1.X.X.
What's the standard way to fix my-lib in both?
If you decide to update both 1.x.x and 3.x.x versions, you might keep working on 2 separated GIT branches and publish 2 separate patch releases on NPM.
Related
I have two versions of a package e.g.
#mycompany/mylob v2.0.0
and
#mycompany/mylib v3.0.0
version 3.0.0 has breaking changes from version 2.0.0 but we do not have the capacity to upgrade everything to 3.0.0 as of yet.
Another developer has upgraded an internal package e.g. #mycompany/utils to use version 3.0.0 and that is installed into our codebase so now we are getting compatibility errors when running the build as #mycompany/utils requires version 3.0.0 but the rest of the code in that repository wants version 2.0.0.
Is there a way with yarn/npm that I can install #mycompany/mylib v3.0.0 for #mycompany/utils and have the rest of the code refer to v2.0.0?
You can use custom alias installs:
npm i custom-name:#mycompany/mylib#3.0
You can change custom-name to any valid package name you want to use.
After that you can import the package with this alias name. e.g.:
require("custom-name")/ import * from "custom-name"
For npm install specific version, use npm install [package-name]#[version-number].
This is the scenario:
I have a package, say package-a that depends on package-b. I have version 2.0.0 of package-a depends on version 1.1.0 of package-b. I specified this dependency using the notation: ^1.1.0. I generated the lock file and then the shrinkwrap. I then publish package-a to the repository.
My understanding is that the above ensures that whenever version 2.0.0 of package-a is installed it will always use version 1.1.0 of package-b even if there are newer version of package-b.
This does not seem to be the case, because when I bumb package-b to 1.2.0, then I deleted package-a and re-installed it, when I check its node_module, I see it installs version 1.2.0 of package-b with it (instead of 1.1.0 that is specified in the shrinkwrap file)
How to I fix this? How do I ensure that my package will always install what is found in the shrinkwrap file?
Or maybe I understand how the nom shrinkwrap file should work? If so an explanation of why what I did, did not work. I would appreciate pointers on how to also make it work as I want
We are facing vulnerability issue with angular 12.24 when scanned with black duck tool.
Below are the packages with issues.
PostCss - 7.0.36. Recommended -8.3.6
url-parse - 1.5.1 Recommended -1.5.3
glob-parent - 3.1.0 Recommended -6.0.1
einaros/ws - 6.2.2 Recommended -8.0.0
How can I update these versions as these are dependent packages of core packages installed.
Tried solutions
npm audit fix - Not working
Updated to latest angular version - Not working.
Updated package-lock.json - Getting overwritten on npm i.
Thanks in advance.
In the package.json of my reactjs webpack project I specified the version number of a dependency that I wanted to download through a npm install as ^0.0.130 where the latest version of that dependency is 0.0.145.
But when I hit the npm install its downloading 0.0.130, not the latest version.
But when I specified the version number as ^0.0.145 its downloading the latest version of 0.0.145.
I cannot figure out why its not downloading the latest version though i used caret sign (^) with the eailer number.
Can anyone help me to figure out why this is not happening in the right way.
^0.0.145 matches the most recent ^0.x.x version
To upgrade to latest version for the 1.0.0 major release you will need to use something like^1.0.0
Yes, That can be happen.
After a component is publishing using npm publish command the latest version is usually the highest version number. But if a component is published using npm publish --tag latest that version is marked as the latest one. So though you published new versions after that the latest version will be the eariler version.
In above scenario they published 0.0.130 as the latest version using npm publish --tag latest. So though they published new versions after that, ^0.0.130 is the latest one.
0.0.145
.......
.......
.......
0.0.131
0.0.130 --------latest
0.0.129
0.0.128
0.0.127
I have a npm module which is already released under 4.x.x version and have breaking changes comparing to 3.x.x stable version.
However I have some updates to 3.x.x version and want to patch its' npm version. Is it possible? Can I manage 2 major versions on npm?
Will https://docs.npmjs.com/cli/publish npm publish --tag do the trick?
However I have some updates to 3.x.x version and want to patch its' npm version. Is it possible? Can I manage 2 major versions on npm?
Yes, it's possible. Something that's common is to have the master branch for new developement and branch off older versions if you want to patch them and name them e.g. 3.x.
So if we assume your module has previously been released as 3.1.2 and you want to fix a bug, i.e. you want to publish 3.1.3 (patch release). Simply branch off from 3.1.2 (assuming you have a git tag v3.1.1):
git checkout v3.1.2
git checkout -b 3.x
# make changes and commit
npm version patch # will bump package.json, commit that and tag
npm publish