Add a "latest" tag in addition to the versioned tag.

Question

Add a "latest" tag in addition to the versioned tag.

sramam opened this issue 7 years ago · 4 comments

As it stands, the versioned tags are great if the sub-package is relatively stable.
For things like internal framework modules which are used in many places, any
update to the lerna module requires modifications to all downstream usages.

It'd be good to have a ${pkgName}-latest tag, in addition to the versioned tag,
allowing in effect the same npm behaviour as @latest.

Answer 1 · 2018-01-20T19:10:26.000Z

Hello @sramam ! Sorry for my long delay answering.

Once I tried adding latest (${pkgName}-latest), major (${pkgName}-1 and minor (${pkgName}-1.2) tags. But It doesn't work with lockfiles, yarn has a yarn.lock lockfile by default and since npm v5 we also have a lockfile called package-lock.json by default. Having lockfiles by default is the right way to go. And those lockfiles lock the git deps by using the git hash/checksum.

For example by installing the git tag gitpkg-v1.0.0-beta.1-gitpkg of the repo https://github.com/ramasilveyra/public-registry with yarn, the yarn.lock file will look similar to this:

// ...
"gitpkg@github:ramasilveyra/public-registry#gitpkg-v1.0.0-beta.1-gitpkg":
  version "1.0.0-beta.1"
  resolved "git+ssh://git@github.com/github:ramasilveyra/public-registry.git#81bca092192e5070f73e1e67d7b01844b9e4c829"
// ...

and with npm v5 the package-lock.json will look similar to this:

// ...
    "gitpkg": {
      "version": "github:ramasilveyra/public-registry#81bca092192e5070f73e1e67d7b01844b9e4c829",
// ...

What is common in both? That the git tag gitpkg-v1.0.0-beta.1-gitpkg is resolved to the git hash 81bca092192e5070f73e1e67d7b01844b9e4c829 that is unique. So by forcing pushing new versions of the git tag gitpkg-v1.0.0-beta.1-gitpkg we kill the old git hash with a new different one, making the lockfiles to fail.

Also if you try to install a new updated forced pushed git tag it will probably break the cache of yarn and npm, causing it to behave erratically.

This also applies to git branch deps.

My ideas on how to ideally solve this problem is by implementing a custom semver definition and custom gitpkg fetching logic natively in yarn/npm. Take a look to #6.

I will close this issue and your pr, I hope that you understand. And in the case that you still want latest/major/minor tags, you can use gitpkg to release a new custom version of gitpkg!

Regards, have a great year!

Answer 2 · 2018-01-22T08:29:39.000Z

As I understand the lock files, there are two cases -

adding the module as a dependency, which @latest will get the current latest hash and install the hash in the package.
installing the parent module, in which case, if a later gitpkg version is been published, the install will fail - per the lockfile logic you mentioned.

#1 is desired behavior.
#2 The unstable behavior is exactly what I'd like! It is the only way to detect that the underlying package has an update, since we have bypassed the registry all-together. I think of it as the price to pay for living on the bleeding edge (typically in a dev branch).

With npm/yarn, npm install express@latest adds a specific version to package.json - so it's the latest at the time the dependency was added! To figure if there is an update, there are two mechanisms - npm updated or npm-check. I really prefer the second, but that's just me quibbling. Both are checking with the registry for later versions.

This is the crucial piece that I miss with gitpkg - the ability to automatically detect dependency updates. I have to manually watch and patch.

If we set the #latest gitpkg tag, a periodic build will fail, alerting us to a need to patch. It's perfectly possible to avoid this instability by using any other gitpkg tag. It's only the #latest tag that behaves special. While I'd be reluctant to add more special tags, perhaps others have valid use cases for them.

This was crucial to me as I was considering using lerna. I have since moved on from
such mono-repos for my project, so don't have strong objections to closing the issue.

I did want to document the thinking behind the original PR. At least to me, it still looks like the only sensible thing to do with the #latest tag as it automates and otherwise pesky issue.

But then I do have way too many opinions!

Overall perusing the code of gitpkg, my understanding of git got better and I really enjoyed
the almost declarative code you have within. So thanks much for it. I am likely to copy that
style in the future.

Have a great new year and may the God of open-source smile upon you!

Answer 3 · 2021-01-03T13:42:11.000Z

Hi,

I am using lerna for versioning and deferring the publishing task to gitpkg because it allows "Lightweight git tags (only the files needed are included)". This setup works great, however I do agree that it would be nice to also be able to have gitpkg force push to another tag like "${pkg.name}@latest" for reasons already mentioned by sraman.

My package.json looks something like the following currently (these packages do not depend on any other packages):

...
  "devDependencies": {
    "@company/package": "https://xxx:xxx@bitbucket.org/xxx/xxx/get/package@3.0.2.tar.gz"
    }
...

Whereas I could just use package@latest.tar.gz as a moving target that will point to the latest gitpkg release.

...
  "devDependencies": {
    "@company/package": "https://xxx:xxx@bitbucket.org/xxx/xxx/get/package@latest.tar.gz"
    }
...

Then I can use a hook to run npm install @company/package in order for all dependent projects to keep up to date with this package.

Answer 4 · 2021-01-04T05:37:51.000Z

I was able to workaround this by adding the following to my package's package.json postversion hook (lerna version calls this hook).

...
  "scripts": {
    "postversion": "gitpkg publish && git fetch origin +refs/tags/$npm_package_name@$npm_package_version:refs/tags/gitpkg-tmp && git push origin gitpkg-tmp:$npm_package_name@latest --force"
  },
...

Explaining the git commands:

Note: $npm_package_name and $npm_package_version are NPM's exposed environment variables that can be used to refer to the package's values, you should update the commands in the hook to match the pattern of your packages names.

git fetch origin +refs/tags/$npm_package_name@$npm_package_version:refs/tags/gitpkg-tmp
^ This creates a temporary local tag "gitpkg-tmp" that points to the commit on remote (that gitpkg just pushed), the "+" means to overwrite local tag with same name.

git push origin gitpkg-tmp:$npm_package_name@latest --force
^ This pushes the gitpkg-tmp local tag to remote as @latest, --force ensures the remote one is overwritten.

Maybe some experienced devs can chime in on some pitfalls with this approach, for some with basic usage this seems to work.