![]() Both should be committed to the repository. First is the “regular” one, with a list of direct dependencies we specified. This includes both the dependencies we specified, and their dependencies, and their dependencies, and their dependencies, … In other words, direct and transitive dependencies.Īs a result, we have two files with dependencies list. The lock file contains a list of all installed dependencies and their versions. For example, the npm creates the package-lock.json. Some dependency managers create an additional file when installing libraries. So we probably would not like updates like this to happen on their own without our direct action, right? But I have a dependency lock file! ![]() With them, your expectation of non-breaking change when bumping up from 1.2.0 to 1.3.0 has no basis whatsoever. ![]() Of course, not all libraries follow the Semantic Versioning. If you are lucky enough that the new bug affects your application, it can break after what should be a “safe” dependency update. Bugs do not care if that’s a version 4.16.0 or 5.0.0. But sometimes new bugs are introduced in the new releases. Of course, everyone does their best to keep the reality as close to it as possible. Breaking changes, which may cause our code to stop working, can be introduced only in the next “major” version, 5.0.0. In short, each next 4.x.x version should be fully compatible with the previous one, without any breaking changes. This is because the de facto standard for libraries versioning is something called SemVer, or Semantic Versioning. Why? Because theoretically, if your code works with version 4.15.0, then it should be safe to use any next 4.x.x version. But it also says that it accepts any next version as long as it’s lower than 5.0.0. This little caret symbol ( ^) says that the minimal valid version of the lodash library is the 4.15.0. Then your package.json is updated with something like: "lodash": "^4.15.0". For example, when you run: npm install lodash Moreover, some of them by default add dependencies with versions range instead of a single, concrete version. Non-breaking vs bug-free changesĭependency managers allow providing a range of valid versions for each dependency. Since he already had the great_library installed, it did not fetch the newer version for him.Įffect? Both of them did the same operations and ended up with different results.īelieve me or not, but this is the default behavior for quite a lot of dependency managers.īefore we dig into how we can prevent this for different dependency managers, we need to understand two concepts. Unfortunately, this library release happened to introduce a bug that broke the application.Īnd why the first developer couldn’t reproduce the problem, even though he run the same commands? Well, the dependency manager is a little bit lazy. ![]() At this time there already was a new, updated version v1.0.1 available, and that was the one that landed on his workstation. Then the second developer installed dependencies. When the first developer installed the great_library, the latest version of it, v1.0.0, was added. On his workstation, everything was still fine. When the first developer tried to reproduce the issue, nothing changed for him. Then, the other developer pulled the project, installed dependencies, and everything blown up. An example of it we see above.Ī new external dependency was added by the first developer and everything worked well. Those dependencies, and the way we manage them, can cause tricky to find problems coming out of nowhere. Each language has its own or a number of them, and we will look closely at them a little bit later. We manage dependencies with, well, dependency managers. That’s reasonable – very rarely someone pays us to reinvent the wheel. Maybe I’m just lucky.Īlmost every project, no matter the size, uses some external dependencies – libraries and frameworks. > All tests successful! Betrayed by a dependencyĮven without 20 years of experience in the field, I still saw a situation like the above several times. > New dependency great_library v1.0.0 installed!ĭeveloper 2 – some time later: $ cd projects/great_projectĭeveloper 1 – trying to reproduce the problem: $ cd projects/great_project dep_manager – a dependency management tool.Not convinced? Want an explanation? Let’s start it with some story-time. You can probably configure your dependency manager to do it by default. Even then, pin your dependencies – explicitly specify their exact versions. Use a dependency manager that creates a lock file and commit it to the repository. We can solve this with one two simple tricks. This is how to prevent a problem causing your application to out of the sudden stop behaving correctly, or, even more funny, stop behaving correctly only on one developer’s computer. Buckle up, for some of you this may be controversial, but maybe for some others – obvious.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |