Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Peer version pins #1254

Closed
kriskowal opened this issue Sep 1, 2022 · 4 comments · Fixed by #1257
Closed

Peer version pins #1254

kriskowal opened this issue Sep 1, 2022 · 4 comments · Fixed by #1257
Milestone
0.29.0

Comments

@kriskowal
Copy link

kriskowal commented Sep 1, 2022
edited
Loading

All @cosmjs packages are coversioned and pin their peer dependencies to the same exact version.

CosmJS packages also use TypeScript classes with private fields, which makes them particularly sensitive to identity and type discontinuity. That is to say, an application’s lockfile and node_modules tree can only have one version of each CosmJS package or they will see type errors of the form “Tendermint34 RPC client can’t be assigned to Tendermint34 RPC client because private field X is not X.” The only difference will be that the left and right Tendermint34 clients will come from different versions of the same package.

To that end, applications and libraries using CosmJS must also pin to the exact same version of each package and must not use semver ranges. That also means that any libraries being used with CosmJS must transitively be pinned so that any pair of libraries can reliably refer to the same instance.

At Agoric, we used a semver range for @cosmjs/stargate and @cosmjs/tendermint-rpc. That resulted in our packages receiving a newer version of tendermint-rpc than the one pinned in stargate, so stargate got its own version. This in turn resulted in type discontinuity errors. Semver ranges are the default behavior of yarn and npm when installing new packages.

This problem can be mitigated a number of ways:

  1. (favored) CosmJS packages could use semver ranges for their dependencies on fellow CosmJS packages
  2. CosmJS could loudly and virally document that all dependees must use a pinned version of all CosmJS packages and that they must post the same warning in the documentation of any libraries they publish, or risk dire but vague consequences.
@webmaster128
Copy link
Member

Thank you for bringing this up. The change from "^foo" to "foo" came when migrating aways from Lerna and I never had a good argument for prefering one over the other. I think we can change that.

At Agoric, we used a semver range for @cosmjs/stargate and @cosmjs/tendermint-rpc. That resulted in our packages receiving a newer version of tendermint-rpc than the one pinned in stargate, so stargate got its own version.

What I am wondering is: why/how did you get a different version for @cosmjs/tendermint-rpc than @cosmjs/stargate? We release all packages for every new version.

@webmaster128 webmaster128 added this to the 0.29.0 milestone Sep 5, 2022
@webmaster128
Copy link
Member

The relevant yarn docs are here: https://yarnpkg.com/features/workspaces#publishing-workspaces. By specifying the path to the package our internal versions were turned into exact version.

@webmaster128 webmaster128 mentioned this issue Sep 5, 2022
Merged
@kriskowal
Copy link
Author

That’s intriguing.

Upon further reflection, I cannot explain the effect I saw in terms of the model I described, so I must have missed something. That said, I’m sure using a semver range is not worse than pinning. Thank you for looking into this!

@webmaster128
Copy link
Member

Shipped as part of CosmJS 0.29.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.29.0
Development

Successfully merging a pull request may close this issue.

Use caret for internal version numbers cosmos/cosmjs
2 participants
@kriskowal @webmaster128