DEV Community

loading...

`engineStrict: true` in package.json is problematic - DON'T

Pacharapol Withayasakpunt
Currently interested in TypeScript, Vue, Kotlin and Python. Looking forward to learning DevOps, though.
・1 min read

If you even publish the package / or allow installation via GitHub.

npm i custom-package         # From NPM registry
npm i ${REPO}/custom-package   # From GitHub repo main branch
Enter fullscreen mode Exit fullscreen mode

Then, you'll encounter the problem of package cannot be installed, due to misconfigured package.json

{
  "engines": {
    "node": "14",
    "npm": "please-use-yarn",
    "yarn": "1",
    "pnpm": "please-use-yarn"
  },
  "engineStrict": true
}
Enter fullscreen mode Exit fullscreen mode

A solution

echo 'engine-strict=true' >> .npmrc
Enter fullscreen mode Exit fullscreen mode

A problem NPM team ignored

It seems that engineStrict: true (in package.json) doesn't work in the first place. Only for Yarn , PNPM.

But echo 'engine-strict=true' >> .npmrc works.

A problem Yarn team ignored

It has warning on Yarn run for invalid package.json, including engines.

Suggestion: add "vscode" as a valid engine #8072

Visual Studio Code requires its extensions to include a "vscode" property in the "engines" field in package.json. However, yarn does not know it can be a valid engine, and issues a warning:

yarn add v1.22.4
[1/5] Validating package.json...
warning my-extension@0.0.1: The engine "vscode" appears to be invalid.

So, where it does not warn in the first place depends on Official Yarn Team? It is hard-coded by Yarn. This also happens when someone else used PNPM to publish the package.

A problem pending for PNPM

I also think this might be difficult to fix as well. It might go as far next major release, or got wontfix.

.nvmrc with non-default Node.js version does not work #3016

pnpm version:

5.13.5

Code to reproduce the issue:

nvm install 12
nvm install 14
nvm alias default 12
echo '14' > .nvmrc
nvm use
echo 'engine-strict=true' >> .npmrc
# add `engineStrict: true` in `package.json` also works
Enter fullscreen mode Exit fullscreen mode

Then, add engines field in package.json.

{
  "engines": {
    "node": "14"
  }
}
Enter fullscreen mode Exit fullscreen mode

Expected behavior:

No errors, install successfully.

Actual behavior:

❯ pnpm i
 ERROR  Your Node version is incompatible with "/home/patarapolw/projects/aloud-comments".

Expected version: 14
Got: v12.19.0

This is happening because the package's manifest has an engines.node field specified.
To fix this issue, install the required Node version.

Another way to reproduce

  • Remove engine-strict=true
  • Add node --version to scripts section
Found '/home/patarapolw/projects/aloud-comments/.nvmrc' with version <14>
Now using node v14.15.1 (npm v6.14.8)
❯ pnpm node:version

> aloud-comments@0.2.3 node:version /home/patarapolw/projects/aloud-comments
> node --version

v12.19.0

Yet another way to reproduce

  • pnpm i @stencil/core
Found '/home/patarapolw/projects/aloud-comments/.nvmrc' with version <14>
Now using node v14.15.1 (npm v6.14.8)
❯ pnpm serve
> aloud-comments@0.2.3 serve /home/patarapolw/projects/aloud-comments
> stencil build --dev --watch --serve
Your current version of Node is v12.19.0, however Stencil's recommendation is v14.5.0 or greater. Note that future versions of Stencil will eventually remove support for non-LTS Node versions and an Active LTS version is recommended (https://nodejs.org/en/about/releases/).

Of course, Stencil team said it's your bug; not theirs.

Additional information:

  • Windows, macOS, or Linux?: Ubuntu 20.04 on WSL2
❯ node -v
v14.15.1
❯ cat /proc/version
Linux version 4.19.128-microsoft-standard (oe-user@oe-host) (gcc version 8.2.0 (GCC)) #1 SMP Tue Jun 23 12:58:10 UTC 2020
❯ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.1 LTS
Release:        20.04
Codename:       focal

preinstall blocking script aren't enough

  • pnpm run still pick up wrong Node.js version...
  • npm publish, yarn publish, pnpm publish all work differently. engine-strict can block well for this case.
    • I prefer yarn publish the most.

Discussion (0)