Document that it is not safe to run pinst in the prepack step #24
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Ohhh I've started seeing this in my packages too. @djcsdy your gist really helped clarify things for me: https://gist.github.com/djcsdy/3ca078e23fdac4c50e077c84e8284a95. I like your suggestion of invoking yarn pinst --disable
yarn publish
yarn pinst --enableRather than at install time: {
"prepack": "pinst --disable",
"postpack": "pinst --enable"
}This is because manipulating the scripts is really a 'release' task. Also the npm scripts section is always cluttered so this frees up some space. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As much discussed in other issues,
"prepack": "pinst --disable"has never worked as intended. It always results in wrong information going into the npm database. It's just that most tools ignored the wrong information, including npm before npm v10.4.0. See https://gist.github.com/djcsdy/3ca078e23fdac4c50e077c84e8284a95A lot of projects are starting to get hit by this problem:
postinstallhook react-hookz/deep-equal#269I assume this is just the tip of the iceberg. EVERY historical package that has been published using pinst in the recommended configuration is broken and cannot be installed correctly by npm >= 10.4. This problem is NOT limited to packages that were published recently.
I am seeing a lot of confusion about the underlying cause, which is not really surprising.
I think the only responsible course of action is to immediately stop recommending that developers use pinst in their
prepackandpostpackscripts since this results in broken packages and always has done.Unfortunately the only safe way I know of to run pinst is to run it BEFORE
yarn publish. There's no safe way I know of to causeyarn publishto runpinst --disableautomatically. It's unfortunate that the solution is so unergonomic, but the only alternative is many broken packages.Fixes #22, #23.