Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

beachball not updating package-lock.json version field when publishing

See original GitHub issue

Hello,

I am using beachball to manage a single-package repo (not a monorepo), which it says on the beachball site: “single or monorepo”. I’m using npm. I understand that the majority of monorepo users are using yarn, but npm is popular in the single repo ecosystem. Also, the best practice for npm is to use lockfiles (package-lock.json).

The issue is that package-lock.json files have a version field that corresponds to the version field of package.json, but beachball does not update this field in package-lock.json. Other tooling does, such as the npm version command.

Currently our workaround is to do some manual script wrangling with git:

# Beachball doesn't update package-lock.json files when publishing.
- npx beachball publish --yes --no-push
- npm i --package-lock-only
- git add -A
- git commit -m "applying package updates [skip ci]"
- git push --set-upstream origin main

This is a bit uglier than the happy path:

npx beachball publish --yes --message "applying package updates [skip ci]"

This related issue (https://github.com/microsoft/beachball/issues/482) saw the same issue and added a postpublish hook, but it’s not clear how to use it.

I do use beachball with yarn in other monorepos and it’s wonderful. It would just be nice if beachball updated the lockfile. Would this be hard?

Issue Analytics

State:
Created 2 years ago
Comments:10 (1 by maintainers)

Top GitHub Comments

2reactions

codyzucommented, Apr 14, 2022

It looks like the the latest npm v8.6 was updated to reify the lockfile when npm version runs: npm/cli#4588 Right now beachball manually revs the version field in package.json instead of using the npm version command so it wouldn’t take advantage of that.

That would be a cleaner solution for sure, plus we would get all of the standard pre/post version script goodness that’s standard in npm. According to https://github.com/microsoft/beachball/issues/482#issuecomment-772955130 they are only using beachball with yarn, so I’m guessing we won’t get much love on npm support 😭

I have a few ideas:

beachball could detect if it’s yarn or npm and use the correct tool to version (hard)
beachball could provide a config option that actually does the bump, something like bumpScript where we could set it to npm version --no-git-tag-version ${version} or yarn version --no-git-tag-version ${version}. If it’s not set, it would do the current behavior of just modifying the appropriate package.json files. Seems like that has the potential to simplify a lot of stuff and be a robust solution 🤔
a config setting that you set the package manager, something like packageManager that could be set to npm, yarnclassic, yarn2, etc… That might be a nicer developer experience 🤷

0reactions

rajsitecommented, Apr 15, 2022

@rajsite seems odd that other packages would get updated (and break your setup). According to the docs and here, it should just regenerate the package-lock.json based on the versions in the package.json. Granted it’s not that well documented. Any idea why your package.json and package-lock.json might have been out of sync??? Could that issue have been related to something else?

In any case, I’m going to watch this closely 👀

It was partially because my original script did the following:

# Delete the current node_modules, it seems to get in a state 
# after beachball publish that causes subsequent `npm install`s
# to fail with a npm 7 workspace monorepo
rm -rf node_modules
# Update just the lock file
npm i --package-lock-only

So my original script deleted the node_modules folder before regenerating the lock file. When it does that all the transitive dependencies of your application are redownloaded and the lock file is created with new versions.

If you don’t delete the node_modules folder then npm install --package-lock-only --ignore-scripts will try and create a lock file using the current node_modules structure. While it is unlikely that build resulted in changes (for example parcel will add new packages automatically) or that packages were deprecated during that time there is no guarantee that the npm install won’t result in new or unexpected packages being added due to transitive dependencies.

Top Results From Across the Web

package-lock.json

When npm detects a lockfile from npm v6 or before during the package installation process, it is automatically updated to fetch missing information...

npm install not creating a new package-lock.json

I believe for package-lock.json is auto-generated if the 2 conditions npm version > 5.x.x and node version > 7.x.x are met.

package-lock.json does not exist

The good news is since npm@5.0.0 ignores the resolved field on package-lock.json file and basically fallback to the one defined in the .npmrc...

StreamBase New and Noteworthy - TIBCO Product Documentation

TIBCO StreamBase® 7.6.1 inherits the updates and new features added to ... start a spinning beach ball timeout period that could last for...

The Complete Guide to package-lock.json

If the package version given in the lockfile is not in the version range of the package.json file, packages are updated & package-lock.json...