Return-Path: 
 <dev-return-38629-apmail-cordova-dev-archive=cordova.apache.org@cordova.apache.org>
X-Original-To: apmail-cordova-dev-archive@www.apache.org
Delivered-To: apmail-cordova-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id D0BC617A97
	for <apmail-cordova-dev-archive@www.apache.org>;
 Mon, 29 Sep 2014 23:09:37 +0000 (UTC)
Received: (qmail 2007 invoked by uid 500); 29 Sep 2014 23:09:37 -0000
Delivered-To: apmail-cordova-dev-archive@cordova.apache.org
Received: (qmail 1968 invoked by uid 500); 29 Sep 2014 23:09:37 -0000
Mailing-List: contact dev-help@cordova.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@cordova.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@cordova.apache.org>
List-Post: <mailto:dev@cordova.apache.org>
List-Id: <dev.cordova.apache.org>
Reply-To: dev@cordova.apache.org
Delivered-To: mailing list dev@cordova.apache.org
Received: (qmail 1956 invoked by uid 99); 29 Sep 2014 23:09:37 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 29 Sep 2014 23:09:37 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of purplecabbage@gmail.com
 designates 209.85.218.49 as permitted sender)
Received: from [209.85.218.49] (HELO mail-oi0-f49.google.com) (209.85.218.49)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 29 Sep 2014 23:09:11 +0000
Received: by mail-oi0-f49.google.com with SMTP id e131so3677483oig.22
        for <dev@cordova.apache.org>; Mon, 29 Sep 2014 16:09:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=WfqDUSOR/sOXTjHGr9xg/BIjnc1ttzDzi9KEd1kXgKM=;
        b=VNEFF6PA6XmXSR5xKj1Fcbcwjd/SEu7awXOtnL0yZ7/22KT7tzT7YTsD9AIPHbbZ/5
         t4dX7wcVQ7wPk5ufiix8A9sopuYGZDBPGhEh2mTG6fZdMjD2BxolHWf18xxpaaU33x+d
         8HPgeIneQjcuMTmDGTEkthvCi5YL6jQ8HW2Y4MXgTY+YOLfyeopucilUD4nGHAv2O5nd
         AbRilRSy8xqqnZJsdrz9zK4+yZApwMk6ERrD6Q0VJTAI/c9w8WWbkIO9Q01qBI4Pt6Z3
         8DXo2WGsmmg4O9j+OCs3yyKpWpdWiJL5sFPnt2KO3e50/JoV0Mz2GXp+wKGhW/I3PTj+
         ZsMQ==
MIME-Version: 1.0
X-Received: by 10.60.124.130 with SMTP id mi2mr43073556oeb.25.1412032150623;
 Mon, 29 Sep 2014 16:09:10 -0700 (PDT)
Received: by 10.76.7.135 with HTTP; Mon, 29 Sep 2014 16:09:10 -0700 (PDT)
In-Reply-To: <55ED2FC4-F04D-4E13-B345-26D1EB89F32D@gmail.com>
References: <62368B3C-70D3-4ED3-B470-8BFFD1DF2EDB@gmail.com>
	<CA+GVa3bKbJ4bbmVi+mi3fk1ej1q3uqfNkRdGwp41ZSci+vA8Ag@mail.gmail.com>
	<7ef63ff7ae6f4986a7d96fd47b690437@DM2PR03MB366.namprd03.prod.outlook.com>
	<87566401-D50F-44A8-B42A-442A9325EAD0@gmail.com>
	<CADVgkyOUD5Y6S+vA7QF8hNu=J25o0w+S3Wh_2QzAiq4CiRDVQA@mail.gmail.com>
	<CAHYtTqnizpMnTT04NxR1Y20EEvMKA-5wX=BUXL7mSmbsjW0BkA@mail.gmail.com>
	<CADVgkyMKiaYO+MPJc9L-JDjW4=eZ-Y1Hu7A8pWC9d6JoGamgPA@mail.gmail.com>
	<CAHYtTqmNqjLwbue_edsMKWCSE_Yabnrc2-yaEdrsoK=-Pmsnyg@mail.gmail.com>
	<CADVgkyOc0aCL7rRw2tzzyiveqU_C6CN_iN1wYod2jim+s-qKEw@mail.gmail.com>
	<CAHYtTqnsnO+CfYw_igvFj7pGXNKcLHZ3Fgt_tJAjv_rSuzVvsg@mail.gmail.com>
	<CAHYtTqmzFeStiBP8gPQOVU6R4Am8O4Y8cvO=Nj3G9rBsQsxhag@mail.gmail.com>
	<CABiQX1VYp-YkroBCtXK3py=Z6mxPR3gnvpk6JfaeWfF6+_=Jpw@mail.gmail.com>
	<55ED2FC4-F04D-4E13-B345-26D1EB89F32D@gmail.com>
Date: Mon, 29 Sep 2014 16:09:10 -0700
Message-ID: 
 <CAKP6k2tEJWoedrOtkNMs68dobzi05U9gx9UG39pJm09EJ=p8jw@mail.gmail.com>
Subject: Re: [DISCUSS] shrinkwrap
From: Jesse <purplecabbage@gmail.com>
To: "dev@cordova.apache.org" <dev@cordova.apache.org>
Content-Type: multipart/alternative; boundary=047d7b41773bbfda7d05043c5a7a
X-Virus-Checked: Checked by ClamAV on apache.org

--047d7b41773bbfda7d05043c5a7a
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

+1 to pinned dependencies, and no shrinkwrap

@purplecabbage
risingj.com

On Mon, Sep 29, 2014 at 1:45 PM, Marcel Kinard <cmarcelk@gmail.com> wrote:

> I didn't see a consensus on this topic yet, and a tools release is about
> to get rolling by Steve.
>
> My original driver for this discussion is that if we are going to do
> shrinkwrap, that we do it all the way instead of slapping it on at the en=
d.
>
> Doing it does add more complexity. But it also removes variability, that'=
s
> the part I like. If the majority of folks want to skip the shrinkwrap, I
> would be OK with that as long as we specifically pin all our dependencies=
 (
> "foobar": "1.2.3" ) in our package.json files (no ".x", no tilde, caret,
> greater-than, etc). That would handle the 1st-level dependencies, but not
> subdependencies since we don't have control of their package.json - it's
> partway to the destination at a lower cost. This also assumes that partwa=
y
> to the destination is good enough.
>
> I did add a step to the tools release that the pinned versions get update=
d
> at the beginning of a release:
>
> https://git-wip-us.apache.org/repos/asf?p=3Dcordova-coho.git;a=3Dblobdiff=
;f=3Ddocs/tools-release-process.md;h=3D02d28c97e8dd104528035939049515338347=
c75b;hp=3Db5d288b2c5a8d3cb03bb8fc050bf26c8d15d28fb;hb=3D8ca35fe00cf0e72eb70=
d05e242fe7021ec65b028;hpb=3D14983eb014f84e08e7a76f1ab6ffe069b81f6ffa
>
> Comments?
>
> On Sep 22, 2014, at 10:01 AM, Andrew Grieve <agrieve@chromium.org> wrote:
>
> > I like having it in. For CCA, we actually did get bit in a release wher=
e
> we
> > didn't have a shrinkwrap and a descendant dependency changed and broke
> > things on us.
> >
> > It's also really nice that when we sign and vote on a release, that doi=
ng
> > an "npm install" on it down the line will recreate the exact thing we
> > tested & signed.
> >
> > I think the trouble came along here just from incomplete release step
> > instructions. I think that this (lack of clear steps / process) is the
> real
> > problem.
>
>

--047d7b41773bbfda7d05043c5a7a--