RFC: Streamline bumping dependent packages on GitHub
dlqqq opened this issue · comments
Problem: Users are unintentionally using older versions of node-gyp
than the one included w/ NPM because their dependencies are resolving node-gyp
to an older version. When node_modules/.bin/node-gyp
is present, NPM always defaults to using that local version instead of the global version.
I'd like to start a discussion on this idea:
Is it possible to query the NPM registry, determine the dependent packages with the highest number of downloads, and then reach out to their GitHub repos to ensure that they bump node-gyp
on every major release?
I've only entertained this idea for a short while, but it seems like contributors would have to:
- Find/write some script to find the largest dependents of
node-gyp
, (e.g.canvas
). - Write a GitHub app/workflow that bumps the declared version of
node-gyp
, and is triggered by every new major release ofnode-gyp
. - Reach out to the GitHub repositories of the largest dependents, and contribute this app/workflow.
- Finally, advertise this app/workflow to other repositories, so they can also keep their
node-gyp
versions up-to-date automatically.
While this doesn't guarantee that local versions of node-gyp
will be up-to-date, this would significantly reduce the frequency of users reporting issues due to an older node-gyp
version. This is because if multiple major versions of node-gyp
are present, node_modules/.bin/node-gyp
symlinks to the highest version of node-gyp
.
Conclusion: For any package, just one dependency using the latest major version of node-gyp
is sufficient. If this RFC were accepted, users will report outdated node-gyp
versions far less frequently.
https://docs.github.com/en/code-security/dependabot is the workflow that you are talking about and GitHub offers it free of charge to all open-source projects. There are numerous automated tools to keep deps in sync. (https://docs.renovatebot.com for example). Getting developers to implement these tools takes a ton of both time and patience.