Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign updeps: Experiments with Corepack #35398
Conversation
Corepack provides shims for Yarn and pnpm in order to soften the developer experience when working on Node projects. Refs: #15244 Refs: nodejs/TSC#904
|
Fantastic to see progress on this! With regards to the questions:
I'd say that's a requirement, yes.
To do so, we'd need an issue opened in the nodejs/admin repo proposing the change. Assuming there are no objections after a few days, it's considered accepted and we just move it in. There's no real fanfare here.
Take a look at the test/parallel/test-npm-* tests and follow a similar pattern. The testing does not have to be comprehensive but should be enough to be reasonably certain that changes in core haven't broken something in corepack. |
| @@ -0,0 +1,2 @@ | |||
| #!/usr/bin/env node | |||
devsnek
Sep 28, 2020
•
Member
these files could be symlinks to a helper that reads process.execName or whatever it's called. it's a common pattern in gnu core utils so it shouldn't break anything.
these files could be symlinks to a helper that reads process.execName or whatever it's called. it's a common pattern in gnu core utils so it shouldn't break anything.
devsnek
Sep 28, 2020
Member
it also occurs to me that if someone does not want a specific package manager on their system (for example, i do not wish to have yarn on my system), this could be considered somewhat invasive. Are we planning to ship tars with and without corepack?
it also occurs to me that if someone does not want a specific package manager on their system (for example, i do not wish to have yarn on my system), this could be considered somewhat invasive. Are we planning to ship tars with and without corepack?
jasnell
Sep 28, 2020
Member
@devsnek ... this would not install the binaries by default. It installs jumpers that would download the binaries on demand if needed and it would be possible to block it via configuration.
@devsnek ... this would not install the binaries by default. It installs jumpers that would download the binaries on demand if needed and it would be possible to block it via configuration.
devsnek
Sep 28, 2020
Member
I realize it doesn't come with the binaries, but it puts things in my path that installs them. Let's say I'd rather not have any of that. Would I have to bundle my own releases of node?
I realize it doesn't come with the binaries, but it puts things in my path that installs them. Let's say I'd rather not have any of that. Would I have to bundle my own releases of node?
zkochan
Sep 28, 2020
•
What if it will ask you before downloading Yarn or pnpm?
Like "Do you want Yarn v2 be downloaded to your system? Y/n"
What if it will ask you before downloading Yarn or pnpm?
Like "Do you want Yarn v2 be downloaded to your system? Y/n"
jasnell
Sep 28, 2020
Member
I'm not sure if it's implemented yet or not, but there was also discussion around being able to set configuration options to disable the download. It would likely be possible to have the tool remove the jumpers from the path when requested to do so. For interactive installers, it should be possible to make that configurable (e.g. by default install all jumpers but give the user the option to select them during the install)
I'm not sure if it's implemented yet or not, but there was also discussion around being able to set configuration options to disable the download. It would likely be possible to have the tool remove the jumpers from the path when requested to do so. For interactive installers, it should be possible to make that configurable (e.g. by default install all jumpers but give the user the option to select them during the install)
arcanis
Sep 28, 2020
Author
Contributor
Downloads can be disabled by setting COREPACK_ENABLE_NETWORK=0 in the environment (nodejs/corepack#4). Removing the jumpers isn't possible yet as I wasn't sure of the use case, although it would be possible if needed.
Downloads can be disabled by setting COREPACK_ENABLE_NETWORK=0 in the environment (nodejs/corepack#4). Removing the jumpers isn't possible yet as I wasn't sure of the use case, although it would be possible if needed.
ljharb
Sep 28, 2020
Member
@merceyz many tools are invoked directly, and not as part of a package manager - how would these tools detect it?
@merceyz many tools are invoked directly, and not as part of a package manager - how would these tools detect it?
arcanis
Sep 28, 2020
Author
Contributor
I believe it should be up to these projects to make decisions on a per-case basis, as the semantic compatible path isn't clear. For instance, that CRA "will use Yarn to install dependencies (when available)" could be interpreted as CRA preferring installs to be made via Yarn as much as possible - in which case using npm when Yarn is available wouldn't be the behavior that the project would prefer.
I believe it should be up to these projects to make decisions on a per-case basis, as the semantic compatible path isn't clear. For instance, that CRA "will use Yarn to install dependencies (when available)" could be interpreted as CRA preferring installs to be made via Yarn as much as possible - in which case using npm when Yarn is available wouldn't be the behavior that the project would prefer.
arcanis
Sep 28, 2020
Author
Contributor
Also note that these tools are typically called via npx, pnpx, or yarn create / yarn dlx. In all of these cases, the tool got an implicit insight as to the preferred package manager (ie under npx the $npm_config_user_agent value will reference npm, with yarn dlx it'll reference Yarn, etc).
Also note that these tools are typically called via npx, pnpx, or yarn create / yarn dlx. In all of these cases, the tool got an implicit insight as to the preferred package manager (ie under npx the $npm_config_user_agent value will reference npm, with yarn dlx it'll reference Yarn, etc).
|
There still seem to be some lingering TODOs from the issues linked in the original point before this should land:
I'd also like to ask:
Additionally, I think it's worth being upfront about our intents here: do we plan to eventually try to install npm through this? This should be probably be discussed since it could be impactful in deciding how to approach landing this / if it should be landed. Others shared their views in some of the aforementioned issues, and I have my own opinions on this that I'd be more than happy to share if they are potentially relevant. |
|
marking objection to land explicitly until we:
|
All tier 1 and tier 2 platforms listed on https://github.com/nodejs/node/blob/master/BUILDING.md#platform-list must be supported before this moves out of experimental (imo it's fine to land without initial support for some platforms if this feature is experimental and opt-in) |
|
To some of @bnb's questions:
I do not believe that these need to be answered before this lands and while it is still marked experimental. I would agree that these are exit criteria to graduate from experimental, however.
We really won't know until it's in user's hands, for that, we should land it as opt-in experimental.
They should be able to, yes.
We haven't applied that strict of reasoning to other things and we shouldn't now. There's no guarantee that anything we add to Node.js is going to have people willing and able "without question" to support it for the next decade. That said, this is the whole reason for wanting to bring the project into Node.js and encourage additional maintainers. That said, this thing is really small and shouldn't need much effort to maintain.
Given that it's an install-time thing and not a Node.js runtime thing, the "flag" would be an option in the interactive installer to omit it, which absolutely should be the case. |
I think there will be no lack of maintainers. This feature would be really useful for pnpm users, so I'll help out if there'll be a need. I believe other pnpm users/contributors will be willing to help as well. |
|
I have some concerns.
|
Well, to be clear, corepack does not currently replace the npm binary. So there's no immediate risk there. That said, the
Pull request... No different really than updating the npm client version in core.
People who do not want yarn installed should not ever need to have it. Shipping all three would bloat the installer image needlessly, and providing an option to download on install is really no different. This gives the additional benefit of allowing different projects to select which package manager they require, which an install time only option would not provide.
Not sure what you're basing this on. The design documentation for corepack goes into detail on how both corepack and the package manager would be updated and the flow is not much more complicated than what we have currently. |
|
@jasnell |
|
I don't think anyone suggested how to make this opt in for v15 yet, and imo if it's opt out it's definitely a semver major change (especially with @ljharb point on |
As @jasnell mentioned the npm binary is untouched by this PR, and I personally don't intend to change that, as I don't feel it's my place to make any critical change about a competing project (plus it comes with its own set of considerations unique to its situation). My only goal here is to ensure that my users' interests are accounted for - nothing more, nothing less
The LKG releases bundled with Node will be updated by pull request (just like npm is updated by pull request). The LKG releases that apply on an individual user's machine (typically what people would change by running Note that
(note: pmm is now Corepack, since pmm was already taken on the npm registry) My main worry with making it opt-in is classic: if there's a problem, we will be less likely to know about it - meaning that once we reach the end of the experiment, even if nothing bad happened, we still won't have enough confidence that the workflow will be stable enough for an even release (especially since Node wouldn't monitor how many people opted-in, so we would have to assume that it would be a very low amount). By contrast, seeing real-life feedback for an opt-out would guarantee that nothing sneaked by us, allowing us to safely make informed decision later down the road. And of course that wouldn't prevent us from having |
On this point there is a difference between shipping the package managers in the installer image vs option to download on install in that the former allows installation on a machine without an internet connection. |
|
@arcanis, based on the feedback, the concrete changes I'd like to see before moving this forward:
Given that this does not impact npm at all, there really shouldn't be anything further to discuss there unless the npm team decides to adopt it. |
|
also |
I still don't think we can switch from opt-in to opt-out in a semver minor (not as it is today at least). IMO this is not something we should rush as it has the potential of breaking many automated workflows via scenarios we didn't consider so far. |
|
For give me if I am wrong, just trying to understand things, first I love the idea of a level playing ground for all package managers, but why not just have If I use npm for everything on homebrew. Ican just do I am worried about the complexity and UX of having all these extra commands and things going around. I know myself using this would be trivial, but my co-worker who updates our gatsby site and only knows what commands we teach her and often messages me because |
|
That would more or less be something that |
|
This message might answer your question: #15244 (comment) Which package manager to use is not up to the user but rather up to the project. All developers that work on a given project should use the same package manager. |
|
Ok, so if corepack doesn't install a I'm not sure how this needle is being threaded here. Either there's an executable in the |
|
Unfortunately approach doesn't fit any Linux installed that I'm aware of (and we don't maintain the
The idea is that no extra commands will be required (you need to run |
|
npm is still packaged in its entirety, not part of corepack. |
|
@isaacs there will be no changes to npm at this time. If a user runs npm, npm will run, that's it. |
|
Ok, so the idea is that node ships npm and corepack, with a What happens when someone runs If that's the case, then npm can self-update and yarn can't (and can't be installed by npm either). Not exactly a level playing field. |
|
I'm basing it on the fact that
If you are shipping a binary named
It would increase bytes, but reduce complexity. I believe the tradeoff is better. Download time is less valuable than debugging time.
Should this just be a thing npm can do? It wouldn't be hard at all to add an npm command that will run a command with whichever package manager is declared in the project, and/or raise warnings/errors if you've specified a package manager other than npm, with instructions on how to install the package manager specified. |
|
@nodejs/tsc do you think this should be considered semver major? It's an experimental feature and using |
|
I believe my objection is addressed, but I would like to try the PR out locally before dismissing it. I'll try to do so over the weekend. If I don't comment on the issue before Monday morning (PST) feel free to dismiss my objection. |
|
I'll try and find time to do a more in depth review tomorrow and Monday to ensure nothing appears Semver-Major... but I do like the idea of us agreeing this can land as a Semver-Minor to give us more flexibility towards landing the change. |
|
Can someone clarify this for me: With this change, a package chooses its package manager, not the end user? A package manager (at some version) becomes essentially a peer dependency of a package? Is there precedent for this in other ecosystems? |
Packages don't choose their package managers, no. Once published, they are expected to work across all package managers. Nothing changes in this regard (in fact, it'll be even more important if Yarn and pnpm become as "legitimate" as npm is). Projects (which may be published as packages or not) do choose their package managers. For instance, if you wish to contribute to the Babel codebase, you should use Yarn, because that's what their repository is configured for. Because of this, if you wish to contribute to the Babel codebase, you better have Yarn in your environment. This is what we're aiming to improve. (In other words: only the top-level |
|
so the "requiring a specific version of package manager x" applies only to a dev environment...kind of like a .npmrc or package-lock.json. ok. |
|
How adding a manager of package managers to Node.js really makes things easier for us? Doesn't it make things even more convoluted and distorted for Node.js users? It feels very confusing to me - another uncommon and counterintuitive tool to learn about. Shouldn't we see a Node.js as package manager agnostic runtime in first place? How about going following route:
Wouldn't that be simple, clear for users, and solve the problem? |
|
@medikoo I'd really appreciate if we could keep "brainstormings" to #15244 so that this PR can focus on the implementation. This thread has already 70 comments, and if we go into design Q&A I'm concerned it would become even harder to follow. To answer you quickly, your plan is actually not unlike what's actually implemented here. In particular, the "[binary which] provide an installation script, that will download and install a chosen package manager" is very much what Corepack itself is. The main difference is that you're suggesting to remove npm from Node, which I'm personally not interested to pursue. The main reason why this PR has a chance to land is that it's "strictly better" than what Node currently has, enabling more workflows than exist now without hurting the existing ones. Removing Node would be a different game, because it would remove workflows. I don't believe this could ever land in the current landscape, and we need to be pragmatic. |
Co-authored-by: Rich Trott <rtrott@gmail.com>
Co-authored-by: ExE Boss <3889017+ExE-Boss@users.noreply.github.com>
|
Do you see any remaining blocker to address before this PR can be merged? |
|
Not a blocker but we should def follow up ASAP with the idea of creating a Corepack WG (or bring that conversation under one of the existing ones) so that we can actually measure/evaluate the results of the experiment and in general have the right place to follow up with the many discussions brought up during the pmm/corepack proposal. |
Co-authored-by: Ruy Adorno <ruyadorno@github.com>
I believe this will be part of what @jasnell planned for #35682 |
good point! @jasnell it's unclear to me whether #35682 is just a tangential or if its intention is to replace/fulfill the need for a WG/place of discussion for corepack as raised by @wesleytodd in nodejs/admin#558 |
|
That'll be on the agenda for the summit, yes |
I think there are lots of open questions (for example all those in #35398 (comment)), and an explicit objection on the PR... EDIT: I should probably have also said, my expectation was that upcoming summit was the place to discuss a number of those questions and make progress before this would land. |
Most of those meta questions have been answered here or in the original thread.
Similarly, @mmarchini's requests have been addressed. As a reminder, they were to:
From my point of view the first iteration is ready and everything in this thread has been addressed one way or another, so if you see remaining blockers I'd appreciate them being restated here under the form of concrete action items, so that we're sure we're all on the same page |
|
+1 ... I think @mmarchini's objections have been addressed. What I'd like to see at this point is for this to land in the main branch but hold off on moving it into a release until at least after we have the binary manager summit. In that regard, it would be similar to the QUIC work -- available for folks to try and experiment with if they build from source, but not delivered in a supported release until it's had time to bake a bit more. |
|
For a change like this I personally think it should have more TSC approvals, at the very least a good number of collaborator approvals. @jasnell with respect to "it would be similar to the QUIC work -- available for folks to try and experiment with if they build from source" is there a compile time flag that gates it being included? |
@bnb are you happy that your questions that you raised have been addressed through the references above? |
|
lgtm |
| ### Configuring a project | ||
|
|
||
| The Corepack proxies will find the closest `package.json` files in your | ||
| directory hierarchy to extract their `packageManager` property, formatted as | ||
| such: | ||
|
|
||
| ```json | ||
| { | ||
| "packageManager": "yarn@1.22.10" | ||
| } | ||
| ``` | ||
|
|
||
| If the requested package manager is supported (only Yarn and pnpm are at the | ||
| moment), Corepack will make sure that all calls to the relevant binaries (in | ||
| this case any command starting with `yarn`) are ran against the specified | ||
| version. |
aduh95
Oct 31, 2020
Contributor
I think this should be documented in packages.md, in the package.json field definitions section:
Lines 781 to 787
in
8e3e46d
I think this should be documented in packages.md, in the package.json field definitions section:
Lines 781 to 787 in 8e3e46d

Context (note that pmm got renamed as Corepack in order to be an available package name on the npm registry):
This PR adds Corepack into the Node distribution pipeline (only for Linux / OSX - I didn't find how the Windows build works). By itself, it only involves very few changes:
deps/corepack(it only takes 300KB)deps/npm, this folder is mirrored intolib/node_modules/corepackbin(using the same pipeline as npm)make corepack-update) updates thedeps/corepackcontent to match the repository main branchAs a result:
npm install -g yarn, which will overwrite the Corepack binary starting from 1.22.10Questions:
Documentation:
I haven't written them yet, but I suspect I'll need to update the following pages:
Do you see additional locations I should be mindful of?
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes