A better way to communicate and manage Auro dependencies

[blackfalcon]

There is a small set of elements that have either nested or peer dependencies on other Auro elements. The issue here is that when one element is updated and other elements have a dependency on that released element, the dependents should be updated as well.

Here is a quick table of elements and their dependencies. We need to find a better way to manage this data and assist with managing updates as well.

Auro component dependency map

The following is a mapping of repositories and their direct and peer dependencies.

Repository	Dependencies	Peer dependencies	dependents
Design tokens			Everything except icons and datetime
Auro icons			datetime, carousel, checkbox, accordion, dialog, alert, badge, hyperlink, icon, pane, menu, avatar, card, input, nav, backtotop, combobox, datepicker, lockup
WCSS		tokens	Everything except icons and tokens
datetime		icons, wcss	flight
background		tokens, wcss
skeleton		tokens, wcss
table		tokens, wcss
toast		tokens, wcss
pane		tokens, wcss
popover		tokens, wcss	datepicker
radio		tokens, wcss
loader		tokens, wcss	button
drawer		tokens, wcss
header		tokens, wcss	card, banner
carousel	icons	tokens, wcss
checkbox	icons	tokens, wcss
accordion	icons	button, tokens, wcss	sidenav
banner	header	tokens, wcss
button	loader	tokens, wcss	nav, backtotop
dropdown		icon, tokens, wcss	select, combobox, datepicker
dialog		icons, tokens, wcss
alert		icons, tokens, wcss
badge		icons, tokens, wcss	flight, flightline
hyperlink		icons, tokens, wcss	sidenav, card, nav
icon		icons, tokens, wcss	avatar, dropdown, backtotop
pane		icons, tokens, wcss
menu		icons, tokens, wcss	select, combobox
lockup		icons, tokens, wcss
avatar		icons, icon, library, tokens, wcss
flightline	badge	tokens, wcss	flight
sidenav	accordion, hyperlink	tokens, wcss
card	header	icons, hyperlink, tokens, wcss
flight	badge, flightline	datetime, tokens, wcss
input	library	icons, tokens, wcss	combobox, datepicker
nav	button, hyperlink	icons, tokens, wcss
backtotop	icons, button, icon	tokens, wcss
select	dropdown, library, menu	tokens, wcss
combobox	icons, dropdown, input, menu	tokens, wcss
datepicker	icons, dropdown, input, popover	tokens, wcss

[blackfalcon]

As listed, just about EVERY repo has a dependency on Icons and WCSS. I am not recommending that we update every repo with each release of these tools. Every repo should have the dependency listed with the ^ modifier which will allow the end users to update things easily.

That being said, I would suggest that at least once a 'sprint' cycle we look to update all the repos based on the releases that cycle.

[blackfalcon]

Something we could look to automate is cycling through each repo and performing a surgical npm update that will only update Auro packages and run a build to ensure there are no issues.

npx npm-check-updates @aurodesignsystem/* --peer -u -d --doctorTest 'npm run build'

[blackfalcon]

Using BASH and the npm-check-updates tool, I created the following script that will update all the dependents of the Auro Icons repo.

function updateDependents_icons {
  ## declare an array variable
  declare -a arr=("datetime/" "carousel/" "checkbox/" "accordion/" "dialog/" "alert/" "badge/" "hyperlink/" "icon/" "pane/" "menu/" "avatar/" "card/" "input/" "nav/" "backtotop/" "combobox/" "datepicker/")

  ## now loop through the above array
  for i in "${arr[@]}"
  do
    echo -e "\n$i\n"
    command cd ~/src/auro/"$i"
    command git checkout master
    command git checkout main
    echo -e "updating repo from remote"
    command git pull
    command npx npm-check-updates @alaskaairux/icons --peer -u -d --verbose --doctorTest 'npm run build'
    command git add --all
    sleep 1
    command git commit --no-verify -m "perf: update @aurodesignsystem dependencies"
    echo -e "Commit added to Git\n"
    echo -e "Pushing to the remote\n"
    sleep 2
    command git push origin $(git branch-name) -u
    echo -e "Update pushed to the remote\n"
    command open https://github.com/AlaskaAirlines/auro-"$i"actions
  done
}

Maintaining this list of dependents is something we should look into automating as well. Doing some research on this, npm is more concerned about managing dependencies versus dependents. There are few tools I came across that even considered this kind of resource management.

In this scenario, npm-check-updates filters out only @aurodesignsystem dependencies, auto-updates the version, and runs a build with each update. This will ensure that the updated npm doesn't break the build. Once that cycle is through the BASH script automates the Git actions and pushes the updates. The last step opens a browser page so that the user of this tool can be assured that all releases successfully happen.

Regarding peer dependencies, as long as each dependency is set with a ^, the latest version will be installed when the consuming app installs the element. As long as we maintain the direct dependency versions, we will be ok.

Give the following example. In a project the first element installed is auro-datetime. This element has a peer dependency on Icons and WCSS. The ./package.json has Icons ^4.30.1 and WCSS has ^5.0.5 listed.

After running the install, versions 4.37.0 and 5.0.8 were installed respectively.

Given this information, while we do want to keep all our dependencies up to date and ensure that they still work as expected, I recommend the following.

1. With each PR, there should ALWAYS be a commit that updates all dependencies.
2. At the end of each sprint, we should ensure that all repos are updated using something like the script documented above.

[blackfalcon]

Doing some research on this, npm is more concerned about managing dependencies versus dependents.

Digging deeper, there are no utilities for this because the process of npm update on the consumer end clearly has a process for management and we should not be overly concerned with manually maintaining this.

Even so, if a user needs to redefine the version of a dependency, this again is done at the consumer's end using the override feature.

[blackfalcon]

Documenting this as known info, but pertains to this conversation.

A tool Auro uses when building dependencies is peerDependencies, which since npn @v7 npm will auto-install packages based on SemVer designation. Auro uses this method of defining dependencies this way to specifically enable consumers with the ability to maintain their own dependency version installment.

For example, Auro makes good use of the caret ^ indicator which states the following to be true ^1.2.3 := >=1.2.3 <2.0.0-0. Given this, updating the contents of the package.json by the Auro team is NOT mandated. Consumers are allowed to update their dependencies locally.

From npm's perspective running npm update uses the information in the package.json to install updates and only updates the package-lock.json document. Tools like npm-check-updates has capabilities to update the package.json file itself, but there are no tools out there that update peerDependencies. Only [direct]dependencies and devDependencies.

While there is a responsibility from Auro to maintain dependencies and ensure that our components work with the latest Auro releases, e.g. an Auro component having a dependency on another Auro component or library, the maintenance of dependencies on the consumer end is up to the consumer. We cannot do that for them.

What does this end up looking like?

Within each sprint timeline, the Auro team will ensure, based on the table above, that as lower-level Auro deliverables are updated, their dependents are also updated to ensure compatibility.

Additionally, as changes happen in core libraries, e.g. tokens or WCSS, these resources are NOT released until their compatibility with all other dependents are updated to support their release. This especially holds true for any major releases.

[blackfalcon]

Something a little confusing when interacting with other developers is, it is reported that a component that has a nested dependency of[email protected] for example. Then that same nested dependency is also defined in the package.json at version [email protected]. The component itself has a released version of [email protected].

When npm installs these dependencies, the tree should look like this. Illustrating that the ^ in the package.json allows npm to install the most recent version within the MAJOR release SemVer.

├─┬ [email protected]
│ ├── [email protected] deduped
├─┬ [email protected]

Given this, even if a version defined is behind the currently released version, npn will install the current version in both cases.

The only reason I can understand that this is happening is if the consumer of the package has not properly updated their dependencies or has cherry-picked their updates allowing the package-lock.json to have inappropriate refs.

Another cause of incorrect dependencies being loaded is from consumers not clearing out their node_modules directory properly.

In any case, when confronted with situations where there are conflicting versions in an install, the consumer should be requested to dump their node_modeules and package-lock.json and perform a fresh npm install.

[blackfalcon]

As of npm@7 (released 2020/Node 14) npm auto-installs peer dependencies.

For the purpose of easy management by consumers, it has been a preference for Auro dependencies to be listed as peerDependencies unless it is a specific dependency that the consumer would not normally install. E.g. auro-datepicker has a dependency on auro-input. It is fair to say that the consumer will also want auro-input installed for other reasons outside of the use of datepicker.

In that case, it is reasonable to conclude that listing auro-input as a peerDependency is appropriate. One of the reasons for NOT listing as a peerDependency was auto-installing which is not an issue since v7.

There are few cases, if any, where a parent element has a strict dependency on another element's specific version. We should avoid that at all opportunities. E.g. if a primitive element like auro-input has an update with a feature release, it MUST be validated and supported by all consuming elements. For example, it would be the responsibility of the Auro team to ensure that any updates to auro-input is 100% compatible with the currently released auro-datepicker BEFORE release.

In the use case where an Auro engineer will want to lock in a dependency at a version, then this MUST include the work to re-register that component under a different name as illustrated by auro-nav.

Given this information, I would conclude that all auro components move all their auro component dependencies to peerDependencies unless there is a specific reason for version lock. But given the info about how SemVer works, the version lock is only restricting MAJOR updates. The following snippet is from auro-nav's list of dependencies.

  "dependencies": {
    "@aurodesignsystem/auro-button": "^7.2.7",
    "@aurodesignsystem/auro-hyperlink": "^3.5.6",

This snippet is from npm listing dependencies post-install.

├─┬ @aurodesignsystem/[email protected]
│ ├── @aurodesignsystem/[email protected] deduped
│ ├── @aurodesignsystem/[email protected] deduped

Unless we are specifically version locking a package version to be less than or equal to a specific version, npm install or npm update will always try to increase the minor or patch version.

[blackfalcon]

More data for this conversation. It's been brought up about how auro-combox essentially fixes the version it has installed. In the ./package.json we have this.

  "dependencies": {
    "@alaskaairux/icons": "^4.36.2",
    "@aurodesignsystem/auro-dropdown": "^2.10.2",
    "@aurodesignsystem/auro-input": "^2.17.5",
    "@aurodesignsystem/auro-menu": "^3.11.1",
    "chalk": "^5.3.0",
    "lit": "^3.1.2"
  },

The supporting code that generates unique names

import { AuroDropdown } from '@aurodesignsystem/auro-dropdown/src/auro-dropdown.js';
import dropdownVersion from './dropdownVersion.js';
import { AuroInput } from '@aurodesignsystem/auro-input/src/auro-input.js';
import inputVersion from './inputVersion.js';

...

    /**
     * Generate unique names for dependency components.
     */
    const versioning = new AuroDependencyVersioning();
    this.dropdownTag = versioning.generateTag('auro-dropdown', dropdownVersion, AuroDropdown);
    this.inputTag = versioning.generateTag('auro-input', inputVersion, AuroInput);

The end result in the browser ...

This is what is loaded via npm for the combobox component

├─┬ @aurodesignsystem/[email protected]
│ ├── @alaskaairux/[email protected] deduped
│ ├── @aurodesignsystem/[email protected] deduped
│ ├── @aurodesignsystem/[email protected] deduped
│ ├── @aurodesignsystem/[email protected] deduped
│ ├── @aurodesignsystem/[email protected] deduped
│ ├── @aurodesignsystem/[email protected] deduped
│ ├── [email protected] deduped
│ └── [email protected] deduped

There is a flaw in this as the version typed into the DOM is NOT reflective of the version installed. The problem here is that we cannot base this value on internal understanding. As long as we set dependencies with a ^, regardless of the version listed, npm will install the most recent version and that is tracked in the consuming project's ./package-lock.json file.

The only way to know for sure what is happening is to use something like npm ls --depth=2.

The important thing to take away from here is that the solution provided here, in theory, does remove issues with registration and potential version clashing. But... this is difficult to prove.

[blackfalcon]

Recommendation

When it comes to having dependencies on other auro components.

1. Auro should NEVER use "dependencies:"unless there is a use case that demands re-registering a new name for a current element.
   • When this is done, the ./package.json should NEVER use ^ and ALWAYS be specific, e.g. >=1.2.0 <1.3.0. This designation would lock the element into the specific version 1.2.x only allowing for 0.0.x updates.
2. All other uses for dependencies the author MUST use the peerDependencies. As of npm v7 peerDependencies will be auto-managed for the consumer. The consumer can decide to allow for version updates or lock-in to preserve their environments. As a user runs npm update the version of the dependency will not change in the ./package.json unless human edited. But the version reference will be updated and managed via the ./package-lock.json file.

As you can see in the following list, multiple Auro dependencies are loaded under a component install, but are then deduped

├─┬ @aurodesignsystem/[email protected]
│ ├── @aurodesignsystem/[email protected] deduped
│ ├── @aurodesignsystem/[email protected] deduped
│ ├── [email protected] deduped
│ └── [email protected] deduped
├─┬ @aurodesignsystem/[email protected]
│ ├── @alaskaairux/[email protected] deduped
│ ├── @aurodesignsystem/[email protected] deduped
│ ├── @aurodesignsystem/[email protected] deduped
│ ├── [email protected] deduped
│ └── [email protected] deduped
├─┬ @aurodesignsystem/[email protected]
│ ├── @alaskaairux/[email protected] deduped
│ ├── @aurodesignsystem/[email protected] deduped
│ ├── @aurodesignsystem/[email protected] deduped
│ ├── [email protected] deduped
│ ├── [email protected] deduped
│ └── [email protected]

When looking into the ./node_modules folder you will see that these are not installed over and over, but only once per that project. A potential issue comes in when these are nested dependencies, the only way to have everything in sync is to run a npm ci command. Otherwise, you do risk the potential issue of multiple versions installed in the directory with different versions.

npm maintenance habits greatly vary from dev to dev. Moving common dependencies to peerDependencies theoretically gives more power to the consumer to manage the version installed.

[jordanjones243]

I think this is great that you brought this up. I admit, my understanding of dependencies and how they are consumed is not strong, but I have noticed a numerous amount of inconsistencies with how our dependencies are listed from component to component. If you are saying that having our components listed under peerDependencies could help solve potential conflicts, we should make it a priority to fix our dependency structure every time we touch a component.

[blackfalcon]

There may be a flaw in the current version-lock strategy.

re: https://github.com/AlaskaAirlines/auro-datepicker/pull/201/files#diff-846b4676aecc60e5eb362779624a083d2098bad4ddccae6a16c64ccbc8dba866

After reviewing this PR I see a slight flaw. The dependencies are listed with the ^ operator.
https://github.com/AlaskaAirlines/auro-datepicker/pull/201/files#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519R24-R25

The scripts/version.mjs functionality requires a build in order to generate the appropriate version tag on the element. That all works great and even accounts for a simple npm update.

The potential issue I am seeing is that a user could run npm update in their environment, e.g. v2.9 => v2.11. Without a build step, the element will retain the v2.9 stamp on the element.

A potential fix is to set the dependency using the <= operator.

[blackfalcon]

Teams typically have a habit of using the default npm update which will use the reference from the package.json and update to the latest version based on SemVer rules. This will NOT be reflected in the package.json file, but only in the package-lock.json.

Additionally, this step doesn't always dedupe versions. E.g. multiple installs of a single dependency with nested refs may have different versions.

The only way to really ensure that there is no node crud is to run npm ci and we have no control over that.