fix(dependency): updated tar to 6.x in shared-metrics #415
Conversation
|
@basti1302 Could you please give this a pre review? Let me know if you agree or disagree :) Thanks! |
There was a problem hiding this comment.
The general direction looks good in my opinion. I would maybe lean towards disabling the copy-precompiled feature outright in Node.js < 10, but that's totally up for discussion.
I'll will follow up with a more detailed answer to the questions and aspects you brought up here.
I would leave these other two packages out of the picture for this PR. We use semver much more widely, so I think we cannot update this to a newer version right now. By the way, when we update node-tar, we might want to remove it from https://github.com/instana/nodejs/blob/main/packages/shared-metrics/.ncurc.json as well.
Interesting, I didn't know that. But you say it already fails to install even before updating to tar@6? That's good, so that update does not create a new problem then. Besides, people running on EOL Node.js versions can then just not make use of the engine-strict option, that seems fair enough.
I beg to differ :-) Unfortunately, the tests covering this are not straight forward to find. They are in the collector package (https://github.com/instana/nodejs/tree/main/packages/collector/test/nativeModuleRetry) because they require the whole integration test shebang with the agent stub etc. When I wrote those tests, that test infrastructure was only available in the collector package :-/. Actually, I think, we should be able to move those tests to shared-metrics now, because by now there is a precedent for having an integration test with the agent stub in the shared-metrics package -> https://github.com/instana/nodejs/blob/main/packages/shared-metrics/test/dependencies/test.js (this did not exist when the native retry feature and tests were added).
That's correct, these are the only two usages.
Those exist. 👍
That's what I had in mind originally, I think it is a bit more straightforward then (3.).
Also possible, assuming the catch will also catch outright "syntax errors" (because tar@6 uses syntax constructs that
I agree with that, tar should not be an optional dependency. 👍
Do we explicitly require the tar package in any of our tests? If so, we might need to provide a different version of node-tar in our dev-dependencies, maybe in the root package, in case we want to keep running the tests that depend on it in older Node.js versions. To be honest, I am not sure about those other usages right now. |
Hu, that's interesting. I would have expected https://github.com/instana/nodejs/blob/main/packages/collector/test/nativeModuleRetry/test.js to fail for Node.js 8 then, but it didn't? 🤔 🤔 |
|
I have no strong opinion if 2 or 3. We can go with 3 :) Its defo an easier check than the try catch statements. My thinking was to try our best to still offer the feature to as many people we can. |
Definitely :) I was summing up that these two packages will make the installation of the collector fail if engine-strict is enabled. And tar will bring it to fail too!
Oh. I haven't seen this test. So yeah there is a test and copyPrecompiled is covered. That is good! Thanks for the hint! 🔥
No. I'd update our dev dependencies in a separate PR as part of the stability roadmap. Ok for you? |
|
Discussed: We go with option 2! |
Sure, absolutely 👍 I was just curious. |
kirrg001
force-pushed
the
update/tar6
branch
7 times, most recently
from
9a9e6c8 to
adcaeeb
Compare
| @@ -11,8 +11,8 @@ const EventEmitter = require('events'); | |||
| const copy = require('recursive-copy'); | |||
| const fs = require('fs'); | |||
| const os = require('os'); | |||
| const semver = require('semver'); | |||
There was a problem hiding this comment.
FYI
semver@7 does not support Node < 10 anymore.
But I ignored it for this PR because we already require semver@7 in different places (production code).
I'll check if we should protect the code against semver@7 and [email protected] in a different PR.
There was a problem hiding this comment.
Good find! The situation seems to be a bit weird with semver.
AFAICT, the node-semver changelog did not call out explicitly which Node.js versions they dropped with 7.0.0, it just said "Drop support for very old node versions, use const/let, => functions, and classes." -- all of which are supported in Node.js 6, but not in Node.js 4. Then there is this discussion: npm/node-semver@d61f828#r36469180, around setting the minimum version to 10 in package.json/engines. :-/
Looks like the current code is working on >= Node.js 6 for now, but we should definitely do something about it and not rely on that.
But let's discuss this offline, outside of this PR. 👍
kirrg001
changed the title
| @@ -47,5 +47,7 @@ function sense() { | |||
| stats.statsSupported = true; | |||
| return stats; | |||
| } | |||
| return {}; | |||
| return { | |||
| statsSupported: false | |||
There was a problem hiding this comment.
FYI I have added consistency changes for libuv and gc to have the statsSupported key always available in the metrics result. Before these optimisations the key did not exist for some cases.
Especially in this line, I tried to read the actual exports.currentPayload.statsSupported value, which is set on failed event, but it is impossible to access it without refactoring the code.
There was a problem hiding this comment.
The decision to not transmit statsSupported = false might have been deliberate back in the days (to save a few bytes on the wire). But I agree, it is probably not worth it and having the value always present as a boolean makes sense.
| @@ -11,8 +11,8 @@ const EventEmitter = require('events'); | |||
| const copy = require('recursive-copy'); | |||
| const fs = require('fs'); | |||
| const os = require('os'); | |||
| const semver = require('semver'); | |||
There was a problem hiding this comment.
Good find! The situation seems to be a bit weird with semver.
AFAICT, the node-semver changelog did not call out explicitly which Node.js versions they dropped with 7.0.0, it just said "Drop support for very old node versions, use const/let, => functions, and classes." -- all of which are supported in Node.js 6, but not in Node.js 4. Then there is this discussion: npm/node-semver@d61f828#r36469180, around setting the minimum version to 10 in package.json/engines. :-/
Looks like the current code is working on >= Node.js 6 for now, but we should definitely do something about it and not rely on that.
But let's discuss this offline, outside of this PR. 👍
| @@ -47,5 +47,7 @@ function sense() { | |||
| stats.statsSupported = true; | |||
| return stats; | |||
| } | |||
| return {}; | |||
| return { | |||
| statsSupported: false | |||
There was a problem hiding this comment.
The decision to not transmit statsSupported = false might have been deliberate back in the days (to save a few bytes on the wire). But I agree, it is probably not worth it and having the value always present as a boolean makes sense.
refs 75234 Tar 6 has already dropped Node support < 10 See https://github.com/npm/node-tar/blob/065e3850dfcfa439fd7d4bce0407ba616f85f576/package.json#L48 We currently receive security updates in tar 5.x, but that can stop quickly, because Node 8 support has stopped in 2020 already. We should just update tar to 6.x in shared-metrics because: Node 8 (and lower) is officially not supported for two more packages: - semver 7.x - [email protected] (and there are probably tons of more, which just don't make use of the engines keyword) If you set `npm config set engine-strict true`, you will see that you cannot install collector with Node 8 (without the tar update). That menas, it is already a problem. `tar` is used in nativeModuleRetry#copyPrecompiled (https://github.com/instana/nodejs/blob/dc2160bddab5a25d0b6bab25c5d10bee8b5f1bd5/packages/shared-metrics/src/util/nativeModuleRetry.js#L75), but this piece of code is not covered in our tests. Where is nativeModuleRetry script used? Only in shared-metrics. - in gc.js - in lubuv.js Options: 1) ~Add tests for copyPrecompiled to ensure that Node 8 still works~ There is a test! 2) Disallow copyPrecompiled for Node < 10 3) Do nothing, because the execution of `tar.x` is catched in the codebase and the user won't experience anything bad. But (!) if anything goes wrong with requiring tar in Node 8 or before `tar.x` is executed and it's not catched, we can bring down the customers application. We'd need to try/catch the require statement + tar.x ---- Other usages of `tar`: - in tests - in dummy apps - in docker examples - in subdependencies of dev dependencies - these should be updated in a separate and general version update We decided to go with 2).
kirrg001
force-pushed
the
update/tar6
branch
from
adcaeeb to
9d88701
Compare
refs 75234 Tar 6 has already dropped Node support < 10 See https://github.com/npm/node-tar/blob/065e3850dfcfa439fd7d4bce0407ba616f85f576/package.json, line 48. We currently receive security updates in tar 5.x, but that can stop quickly, because Node 8 support has stopped in 2020 already. We should just update tar to 6.x in shared-metrics because: Node 8 (and lower) is officially not supported for two more packages: - semver 7.x - [email protected] (and there are probably tons of more, which just don't make use of the engines keyword) If you set `npm config set engine-strict true`, you will see that you cannot install collector with Node 8 (without the tar update). That menas, it is already a problem. `tar` is used in nativeModuleRetry#copyPrecompiled (https://github.com/instana/nodejs/blob/dc2160bddab5a25d0b6bab25c5d10bee8b5f1bd5/packages/shared-metrics/src/util/nativeModuleRetry.js, line 75), but this piece of code is not covered in our tests. Where is nativeModuleRetry script used? Only in shared-metrics. - in gc.js - in lubuv.js Options: 1) ~Add tests for copyPrecompiled to ensure that Node 8 still works~ There is a test! 2) Disallow copyPrecompiled for Node < 10 3) Do nothing, because the execution of `tar.x` is catched in the codebase and the user won't experience anything bad. But (!) if anything goes wrong with requiring tar in Node 8 or before `tar.x` is executed and it's not catched, we can bring down the customers application. We'd need to try/catch the require statement + tar.x ---- Other usages of `tar`: - in tests - in dummy apps - in docker examples - in subdependencies of dev dependencies - these should be updated in a separate and general version update We decided to go with 2). Co-authored-by: kirrg001 <[email protected]>
refs 75234
Tar 6 has already dropped Node support < 10
See https://github.com/npm/node-tar/blob/065e3850dfcfa439fd7d4bce0407ba616f85f576/package.json#L48
We currently receive security updates in tar 5.x, but that can stop quickly, because Node 8 support has stopped in 2020 already.
We should just update tar to 6.x in shared-metrics because:
Node 8 (and lower) is officially not supported for two more packages:
(and there are probably tons of more, which just don't make use of the engines keyword)
If you set
npm config set engine-strict true, you will see that you cannot install collectorwith Node 8 (without the tar update). That menas, it is already a problem.
taris used in nativeModuleRetry#copyPrecompiled (nodejs/packages/shared-metrics/src/util/nativeModuleRetry.js
Line 75 in dc2160b
Where is nativeModuleRetry script used? Only in shared-metrics.
Options:
Add tests for copyPrecompiled to ensure that Node 8 still worksThere is a test!tar.xis catched in the codebase and the user won't experience anything bad. But (!) if anything goes wrong with requiring tar in Node 8 or beforetar.xis executed and it's not catched, we can bring down the customers application. We'd need to try/catch the require statement + tar.xtaris not a binary installation, that's why I'd not add it as optional dependency, because it is not possible to fail except the customer uses engine-strict.Other usages of
tar:TODO
[ ] consider adding a test!there is a test!