undefined | Better HN

0 pointsnemetroid5y ago0 comments

Could create-react-app have avoided this through regression suites?

0 comments

Not really. NPM relies heavily on semver - https://semver.org/. In this case, the package that was updated updated a minor version, which means it should be backwards compatible, but it wasn't for later versions of Node.

Of course, you can always lock your build to exact versions of your dependencies (lock files in NPM used to be a complete cluster, in my opinion they are less of a cluster now - you can pretty much do everything you want with them but there are some gotchas that make it easy to shoot yourself in the foot). The issue is that when you run 'npm install', it will pull the latest semver-compatible versions of your dependencies.

So for everyone decrying how this is a bad example of NPM and the javascript ecosystem, I really think the opposite is true. Yes, it broke a lot of upstream dependencies, but importantly only for new builds of those items, and furthermore it was found almost immediately.

Also, of course, you can specify exact versions of your dependencies - you don't have to rely on semver. That means, though, that you need to be more vigilant about pulling in bug fixed and security fixes, and most people take the tradeoff that they are comfortable pulling in patch or minor versions, but using lock files once they have a build they have verified.

salawat5y ago

The regression suite never gets to run if it shares the dependency.

And the system under test shouldn't even compile for the tests to run either. So it isn't so much the regression suite saving you so much as it is just acting as the client of first resort.

jakear5y ago

CRA would be running the tests, not is-promise. CRA could have pinned every dep, and had a bot (dependabot) automatically run tests against every new version of every depended-upon package, and update only when those tests pass.

0xff00ffee5y ago

Bumping your comment because I would like to know. I'm following the github thread.

jakear5y ago

Potentially. If cra had pinned all their deps, and used a bot to automatically bump deps contingent on passing a comprehensive regression matrix, this would have been avoided. GitHub's Dependabot is good for this. In my opinion everybody besides libraries should pin deps and use dependabot.

gombosg5y ago

Exactly. We use Renovatebot for the same purpose. It pins dependencies and creates PRs for updates. Amazing to see how often the builds break, even sometimes after minor updates. But at least we fix them before release, and not after... :)

1 more reply

detaro5y ago

If they'd pinned the dependency versions, and ran the tests before updating the pins, the tests should have catched it.

j / k navigate · click thread line to collapse

0 comments

hn_throwaway_995y ago

salawat5y ago

The regression suite never gets to run if it shares the dependency.

And the system under test shouldn't even compile for the tests to run either. So it isn't so much the regression suite saving you so much as it is just acting as the client of first resort.

jakear5y ago

0xff00ffee5y ago

Bumping your comment because I would like to know. I'm following the github thread.

jakear5y ago

gombosg5y ago

1 more reply

detaro5y ago

If they'd pinned the dependency versions, and ran the tests before updating the pins, the tests should have catched it.

j / k navigate · click thread line to collapse