Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

PIN YOUR DEPENDENCIES (Or how I broke CRA for everyone today)

See original GitHub issue

Is your proposal related to a problem?

Sure is. I’m the maintainer of webpack-manifest-plugin and I bricked create-react-app for a few minutes this morning. Turns out that npm had one of those very rare npm pack hiccups and a version snuck out to the registry without any dist code.

Describe the solution you’d like

Pin your dang dependencies, people! This project is big enough and used by enough people (especially the legions of newbies who don’t know how to diagnose or triage dependency issues) that this project should not be using transitive dependencies for critical pieces of library architecture. This https://github.com/facebook/create-react-app/blob/221e511730ca51c036c6954a9d2ee7659ff860f9/packages/react-scripts/package.json#L76 should not be transitive, it should be pinned.

CRA won’t start up if webpack-manifest-plugin is hosed. And it was. So it was effectively bricked.

Describe alternatives you’ve considered

Pray to the Flying Spaghetti Monster (didn’t work)

Additional context

Given the issues that we’ve seen recently, and most recently with colors.js bricking the world, this seems wise to resolve. I’d bet there are a bunch more critical deps that won’t allow CRA to start up should something be awry as well.

Issue Analytics

State:
Created 2 years ago
Reactions:21
Comments:9 (1 by maintainers)

Top GitHub Comments

3reactions

jjavierdguezascommented, Jan 12, 2022

yep, classic cra issue https://github.com/facebook/create-react-app/issues/7709 😩

UPDATE just now I am seeing an error: Loading PostCSS "postcss-preset-env" plugin failed: Unexpected token '.' and PostCSS Preset Env package have been updated just an hour ago…

https://github.com/csstools/postcss-plugins/issues/153

no code changes, just another build and boom 💥! so annoying

please, cra team fix the dependencies!!

2reactions

krreetcommented, Jan 14, 2022

https://github.com/facebook/create-react-app/pull/11474#issuecomment-927353126

@shellscape Looks like CRA has its dependencies unpinned very recently. check the related PR. maybe its not very wise to pin dependencies. There may be patch releases that may fix a vulnerability or critical fixes by the library authors, we don’t want to miss.

also users can pin dependencies themselves if needed via Yarn’s resolutions or npm’s upcoming overrides feature.

Top Results From Across the Web

How should you pin dependencies and why? – The Guild

Unfortunately pinning in package.json will protect you against breakage of a very small portion of your packages. If fact even when you pin...

Yarn lock: how it works and what you risk without maintaining ...

When present in the project, yarn.lock is the main source of information about the current versions of dependencies in a project.

React Uncaught ReferenceError: process is not defined

The error is as a result of react-error-overlay (which many people would never have heard of because it is a dependency of react-scripts...

Should you Pin your JavaScript Dependencies?

Once you start using a tool/service like Renovate, probably the biggest decision you need to make is whether to "pin" your dependencies instead ......

Questions & Answers | Yarn - Package Manager

A list of answers to commonly asked questions. ... under the default configuration the stock CRA artifacts now only take 45MB instead of...