When we update or change npm dependencies we are f...
# javascript
e
When we update or change npm dependencies we are forced to run
kotlinUpgradeYarnLock
before assembling again. If not, assembling fails. I wonder if this task could be setup to run automatically if dependencies changes are found. This would remove the additional step compared to K/JVM. It's not a big deal, just a DevEx improvement imo.
plus1 1
c
This is a feature, not a bug. The point is to make sure that dependencies don’t change unexpectedly. If you have Gradle dependency locking enabled, the behavior is the same.
✔️ 2
☝️ 1
But yes, I agree the current behavior is the best. And you would see the same behavior from Gradle if you used its native dependency locking (https://docs.gradle.org/current/userguide/dependency_locking.html) for the JVM targets.
👀 1
e
Thanks! Didn't know those Yarn options were already there. Nice!
The point is to make sure that dependencies don’t change unexpectedly
Understandable, tho it's quite frustrating during the prototyping phase, every time I forget to run it.
plus1 1
c
There was a significant incident about 2 years ago, where a JavaScript package that Kotlin uses was updated with a malicious new version. Because NPM package versions weren’t pinned with a lock file at the time, any Kotlin/JS developer that happened to simply compile their application during a window of time would automatically download the new dependency version, run system install scripts, and had their computer infected with crypto mining spyware.
e
I think majory of users simply run
kotlinUpgradeYarnLock assemble
without even thinking about it. So probably the end result wouldn't change. I check the dependencies I'm going to include obviously.
plus1 1
c
You do you. I just want to make sure you’re able to make an informed decision.
✔️ 1
h
For prototyping I just disable the lockfile (locally) but keeping enabled on remote/main branch.
e
@hfhbd thanks! That's also a valid option