From a431029a0444314d91cee2600755b22038210c17 Mon Sep 17 00:00:00 2001 From: David Murdoch Date: Wed, 7 Oct 2020 11:07:56 -0400 Subject: [PATCH 1/4] update README stating this is technique is not safe for publishing --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 7f723f8a..dbb2c41e 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,8 @@ patch-package

+**Note: It is not safe to publish npm packages with patched dependencies!** + `patch-package` lets app authors instantly make and keep fixes to npm dependencies. It's a vital band-aid for those of us living on the bleeding edge. From 2a6408632c6198e48a3f32000f9ca16f8c2b8118 Mon Sep 17 00:00:00 2001 From: David Murdoch Date: Thu, 8 Oct 2020 18:59:37 -0400 Subject: [PATCH 2/4] Update README.md Co-authored-by: Pedro Augusto de Paula Barbosa --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index dbb2c41e..f432e65f 100644 --- a/README.md +++ b/README.md @@ -2,11 +2,11 @@ patch-package

-**Note: It is not safe to publish npm packages with patched dependencies!** - `patch-package` lets app authors instantly make and keep fixes to npm dependencies. It's a vital band-aid for those of us living on the bleeding edge. +Note for module authors: it is not safe to publish an npm package that uses `patch-package` to patch a non-dev-dependency. + ```sh # fix a bug in one of your dependencies vim node_modules/some-package/brokenFile.js From e8e8ff70bfa1635067c455c7763c6d24a8fbc3dd Mon Sep 17 00:00:00 2001 From: David Murdoch <187813+davidmurdoch@users.noreply.github.com> Date: Thu, 18 Aug 2022 14:01:41 -0400 Subject: [PATCH 3/4] add reason behind note --- README.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f432e65f..04c2344f 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,16 @@ `patch-package` lets app authors instantly make and keep fixes to npm dependencies. It's a vital band-aid for those of us living on the bleeding edge. -Note for module authors: it is not safe to publish an npm package that uses `patch-package` to patch a non-dev-dependency. +_Note for module authors: it is not safe to publish an npm package that uses +`patch-package` to patch a non-dev-dependency because patches are applied to +a specific file in your node_modules folder, but when a package is installed +by end users the node_modules dependency tree may shift things around, and +this shifting could be due to factors that can't be controlled by +`patch-package`._ + +_Also, if the dependency you are patching is also imported by the user of your +package, patch package shouldn't patch that version of the package... which is +not really feasible._ ```sh # fix a bug in one of your dependencies From 50d5e0c69deda48ddb4fe12d885610c9c53c80b2 Mon Sep 17 00:00:00 2001 From: David Murdoch <187813+davidmurdoch@users.noreply.github.com> Date: Thu, 18 Aug 2022 17:02:26 -0400 Subject: [PATCH 4/4] Update README.md Co-authored-by: Pedro Augusto de Paula Barbosa --- README.md | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 04c2344f..f6eaa30b 100644 --- a/README.md +++ b/README.md @@ -6,15 +6,9 @@ dependencies. It's a vital band-aid for those of us living on the bleeding edge. _Note for module authors: it is not safe to publish an npm package that uses -`patch-package` to patch a non-dev-dependency because patches are applied to -a specific file in your node_modules folder, but when a package is installed -by end users the node_modules dependency tree may shift things around, and -this shifting could be due to factors that can't be controlled by -`patch-package`._ - -_Also, if the dependency you are patching is also imported by the user of your -package, patch package shouldn't patch that version of the package... which is -not really feasible._ +`patch-package` to patch a non-dev-dependency. This is because `patch-package` works by patching specific files in specific places within the `node_modules` folder, and currently cannot control the following factors:_ +- _When an end user installs your package, their `node_modules` dependency tree may have shifted things around._ +- _If the dependency you patched is also depended on by other packages (or directly by the end user), you might be causing unintended breaking changes._ ```sh # fix a bug in one of your dependencies