react-gemini-scrollbar dependency issue

[turt2live]

This is largely an issue to track the solution and minor scope of the problem for future reference.

In upgrading to React 16 we had to bump the react-gemini-scrollbar dependency (matrix-org/react-gemini-scrollbar#2 and matrix-org/matrix-react-sdk#3276), however because we reference the dependency by hash it causes problems for us. There's two problems at play here: the installation order of our dependencies (for development environments) and the lack of version bump in the react-gemini-scrollbar package.

Our installation docs say to install riot-web first, which references the current release of the react-sdk instead of develop. This means that the dependency (in this case [email protected]#5e97aef) gets pulled in and cached. Later, when the react-sdk is installed, a hash change occurs but no version change so the update is skipped. It's worth noting that the CDN appears to operate in this fashion too: it would cache 5e97aef instead of f644523 for 2.1.5.

However, if we had riot-web pointing to react-sdk#develop instead of release, we'd pull in the new dependency first and it would be largely okay. There's some uncertainty about how the CDN or local cache would react given the lack of version change, but it should at least solve most of the problem.

Bumping the version alongside the hash is the best fix, as it causes a cache miss regardless of dependency conflicts. This is what matrix-org/react-gemini-scrollbar#3 does.

Additional notes: #10893 doesn't appear to have the same version problem, though it's relatively important for us to use the same versions of dependencies across our layers.

[turt2live]

There's a possible concern with pointing at develop in that npm doesn't build the dependencies, so the checkout is useless. Need to make sure that yarn does.