Conversation
- update preinstall only-allow invocation to use @latest pnpm - update ncu scripts to use npm-check-updates@latest with --deep - align npm-check-updates config with updated ncu command Signed-off-by: donniean <donniean1@gmail.com>
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates several scripts and configurations to use the @latest tag for npm-check-updates and only-allow when using pnpm dlx. Feedback across all files suggests that using @latest introduces non-deterministic behavior and potential instability; it is recommended to pin these dependencies to specific versions to ensure reproducibility and consistent behavior across different environments and CI pipelines.
| "docs": "tsx src/scripts", | ||
| "postdocs": "prettier --write README.md", | ||
| "preinstall": "pnpm dlx only-allow pnpm", | ||
| "preinstall": "pnpm dlx only-allow@latest pnpm", |
There was a problem hiding this comment.
Using @latest is the opposite of pinning; it creates a floating dependency that fetches the newest version on every run. In a preinstall script, this makes the installation process non-deterministic and can break the build for all contributors if a buggy version is released. It is recommended to pin to a specific version to ensure stability and reproducibility.
| "lint:text:fix": "autocorrect --fix", | ||
| "lint:types": "tsc --noEmit", | ||
| "ncu": "pnpm dlx npm-check-updates --deep", | ||
| "ncu": "pnpm dlx npm-check-updates@latest --deep", |
There was a problem hiding this comment.
Using @latest for npm-check-updates can lead to inconsistent behavior across different environments. Pinning to a specific version ensures that the tool behaves the same way for all contributors and in CI, while still providing the required feature support.
| pkg: { | ||
| scripts: [ | ||
| { key: 'ncu', value: 'pnpm dlx npm-check-updates --deep' }, | ||
| { key: 'ncu', value: 'pnpm dlx npm-check-updates@latest --deep' }, |
There was a problem hiding this comment.
This configuration propagates the use of @latest to other projects. To ensure those projects have stable and reproducible scripts, it is better to specify a fixed version of npm-check-updates here.
| ```bash | ||
| pnpm pkg set \ | ||
| scripts.ncu='pnpm dlx npm-check-updates --deep' \ | ||
| scripts.ncu='pnpm dlx npm-check-updates@latest --deep' \ |
There was a problem hiding this comment.
The documentation should ideally demonstrate best practices for reproducibility by using a pinned version instead of @latest.
|
|
||
| pnpm pkg set \ | ||
| scripts.ncu='pnpm dlx npm-check-updates --deep' \ | ||
| scripts.ncu='pnpm dlx npm-check-updates@latest --deep' \ |
There was a problem hiding this comment.
The documentation should ideally demonstrate best practices for reproducibility by using a pinned version instead of @latest.
1 participant
Signed-off-by: donniean donniean1@gmail.com