Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

PIN YOUR DEPENDENCIES (Or how I broke CRA for everyone today)

See original GitHub issue

Is your proposal related to a problem?

Sure is. I’m the maintainer of webpack-manifest-plugin and I bricked create-react-app for a few minutes this morning. Turns out that npm had one of those very rare npm pack hiccups and a version snuck out to the registry without any dist code.

Describe the solution you’d like

Pin your dang dependencies, people! This project is big enough and used by enough people (especially the legions of newbies who don’t know how to diagnose or triage dependency issues) that this project should not be using transitive dependencies for critical pieces of library architecture. This should not be transitive, it should be pinned.

CRA won’t start up if webpack-manifest-plugin is hosed. And it was. So it was effectively bricked.

Describe alternatives you’ve considered

Pray to the Flying Spaghetti Monster (didn’t work)

Additional context

Given the issues that we’ve seen recently, and most recently with colors.js bricking the world, this seems wise to resolve. I’d bet there are a bunch more critical deps that won’t allow CRA to start up should something be awry as well.

Issue Analytics

  • State:open
  • Created 2 years ago
  • Reactions:21
  • Comments:9 (1 by maintainers)

github_iconTop GitHub Comments

jjavierdguezascommented, Jan 12, 2022

yep, classic cra issue 😩

UPDATE just now I am seeing an error: Loading PostCSS "postcss-preset-env" plugin failed: Unexpected token '.' and PostCSS Preset Env package have been updated just an hour ago…


no code changes, just another build and boom 💥! so annoying

please, cra team fix the dependencies!!

krreetcommented, Jan 14, 2022

@shellscape Looks like CRA has its dependencies unpinned very recently. check the related PR. maybe its not very wise to pin dependencies. There may be patch releases that may fix a vulnerability or critical fixes by the library authors, we don’t want to miss.

also users can pin dependencies themselves if needed via Yarn’s resolutions or npm’s upcoming overrides feature.

Read more comments on GitHub >

github_iconTop Results From Across the Web

How should you pin dependencies and why? – The Guild
Unfortunately pinning in package.json will protect you against breakage of a very small portion of your packages. If fact even when you pin...
Read more >
Yarn lock: how it works and what you risk without maintaining ...
When present in the project, yarn.lock is the main source of information about the current versions of dependencies in a project.
Read more >
React Uncaught ReferenceError: process is not defined
The error is as a result of react-error-overlay (which many people would never have heard of because it is a dependency of react-scripts...
Read more >
Should you Pin your JavaScript Dependencies?
Once you start using a tool/service like Renovate, probably the biggest decision you need to make is whether to "pin" your dependencies instead ......
Read more >
Questions & Answers | Yarn - Package Manager
A list of answers to commonly asked questions. ... under the default configuration the stock CRA artifacts now only take 45MB instead of...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found