[Pkg-javascript-devel] Bug#980316: about corepack and yarnpkg

Jonas Smedegaard jonas at jones.dk
Mon Jan 24 09:31:10 GMT 2022 

Quoting Paolo Greppi (2022-01-24 10:01:30)
> Hi all
> 
> Il 09/01/22 21:59, Paolo Greppi ha scritto:
> > I stumbled upon this thread related to packaging corepack for gentoo: 
> > https://github.com/nodejs/corepack/issues/76
> > 
> > We now have node 16 in experimental, but our package does not bundle 
> > corepack (as upstream does):
> > https://packages.debian.org/experimental/amd64/nodejs/filelist
> > 
> > I propose that we create a RFP/ITP for corepack separate from nodejs, 
> > with Conflicts: yarnpkg
> > 
> > The corepack binary would install /usr/bin/yarnpkg pointing to the 
> > corepack shims; this would allow Debian users who "use different package 
> > manager versions across multiple projects" to happily install random 
> > binaries downloaded from the internet if they wish.
> > 
> > If we agree that we (as a distribution) need specific versions of 
> > yarnpkg (for building other stuff, we need to keep one or more yarnpkg 
> > packages in Debian, all with Conflicts: corepack + each other.
> > 
> > If we really want yarnpkg 1, according to my tests, the corepack route 
> > is useless:
> > 
> >      docker pull node:16
> >      docker run -it --rm node:16 bash
> >      yarn -v # 1.22.15
> >      # this downloads https://registry.npmjs.org/yarn/-/yarn-1.22.17.tgz
> >      # based on the versions / 1.22.17 / dist / tarball value in:
> >      # https://registry.yarnpkg.com/yarn/
> >      corepack prepare yarn at 1.22.17 --activate
> >      yarn -v # 1.22.15
> >      corepack yarn -v # 1.22.17
> >      ls -l /root/.node/corepack
> > 
> >      total 2
> >      -rw-r--r-- 1 root root 63 Jan  9 18:33 lastKnownGood.json
> >      drwxr-xr-x 1 root root 14 Jan  9 18:13 yarn
> > 
> > To "build" it quick and dirty we can download once and for all the same 
> > pre-built binary that corepack would download, extract it and symlink it 
> > to /usr/bin/yarnpkg (without shims); this package should go to contrib 
> > since it downloads stuff from the internet during the build, but would 
> > fix the issue of yarnpkg blocking the migration to webpack5 and removal 
> > of node-request.
> > Or else keep alive the current version in main by just bundling into it 
> > webpack4 and node-request.
> > 
> > If we really want a new yarnpkg3 package, corepack is also useless as it 
> > merely installs yarnpkg 1.
> > The upstream recommended way of installing yarnpkg 3 (get yarn 1 with 
> > corepack then yarn init -2 (sic!)) just downloads the current pre-built 
> > binary (ATM 
> > https://repo.yarnpkg.com/3.1.1/packages/yarnpkg-cli/bin/yarn.js, 2199165 
> > bytes) to .yarn/releases/yarn-3.1.1.cjs.
> > AFAICT this does not integrate with the shared package manager versions 
> > stored in ~/.node/corepack.
> > 
> > One way to "build" yarnpkg3 quick and dirty is to download once and for 
> > all the same pre-built binary that yarn init -2 would download, and 
> > symlink it to /usr/bin/yarnpkg (without shims).
> > Or if we want it in main we should replicate the way upstream builds 
> > this yarn.js binary.
> > 
> > Sorry for the long message, this is a mess!
> > 
> > Paolo
> > 
> 
> the bugs related to yarn 1 are piling up, what do we want to do as a 
> team on this ?
> 
> I vote for keeping yarn 1 in the archive by bundling into it 
> node-babel-eslint, webpack4 and node-request-capture-har/node-request. 
> This would address #1002902, #1001630, #1000582 and #958686.
> 
> BTW in the meantime nobody created a RFP/ITP for corepack: it looks like 
> there's not so much interest for that.

Is there much interest in yarnpkg?

Is there enough interest in yarnpkg to bring back webpack4 then I would 
argue it should be done properly (as independent package) or at least 
get release team and security team opinion on the plans to stuff it up 
with **more** unmaintainable code.

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20220124/b948981b/attachment.sig>

More information about the Pkg-javascript-devel mailing list