Follow-up to #2865971: Use stylelint as opposed to csslint in core

Quoting drpal:

It looks like we didn't specify the exact versions of the new stylelint dependencies. What I think should have happened is yarn add stylelint@7.10.1. Despite the yarn.lock file, we are still opening ourselves up to version mismatch issues by being too loose with the exact dependencies.

The ^ will still automatically update us to a newer minor version which could introduce some issues.

Comments

cilefen created an issue. See original summary.

drpal’s picture

Status: Active » Needs review
FileSize
11.08 KB

Update the stylelint dependencies to exact versions, adjust yarn.lock

cilefen’s picture

Status: Needs review » Reviewed & tested by the community

Assuming it will pass...

cilefen’s picture

Status: Reviewed & tested by the community » Needs work

Actually, yarn.lock looks a bit changed.

drpal’s picture

Status: Needs work » Needs review
FileSize
1.9 KB
8.81 KB

Right, since some of the underlying dependencies have changed, thanks ^, we don't want to update all those as well.

alexpott’s picture

Ughs I thought yarn was deterministic and always obeyed it's lock file... it appears not... https://github.com/yarnpkg/yarn/issues/570

cilefen’s picture

Status: Needs review » Reviewed & tested by the community

LGTM

alexpott’s picture

Status: Reviewed & tested by the community » Needs work

Actually reading https://github.com/yarnpkg/yarn/issues/570#issuecomment-257136286 and the maintainer of yarn's response - ie. the comment below I'm actually convinced that yarn does work how I think it should and build deterministically even with the carat operator.

I'd rather that our dependencies are maintained the same way we maintain our PHP dependencies. Which is to say we should specify what we're compatible with and the lock file should ensure that everyone gets the same versions.

cilefen’s picture

#5 is the result of modifying package.json then running yarn install. This action modifies yarn.lock, which is different than the way composer works.

alexpott’s picture

@cilefen are you sure that this matters? Yes changing the package.json and then running install to change the lock file is a bit weird but nothing has changed incorrectly in the lock file. What we're discussing here is if changing something unrelated in the lock file will cause different dependencies to be downloaded. I don't see any evidence for that. For example, https://www.drupal.org/node/2880013#comment-12095846 modifies the package.json and doesn't change yarn.lock.

drpal’s picture

@alexpott @cilefen

Alright. I think after some further research about Yarn I think we can safely just leave the carets in package.json because the actual version is locked within yarn.lock. I'd suggest we can close this.