Standardize package versions across package.json files

[humphd]

In #2545, @menghif and I are debugging an issue in CI with versions and the lock file. It led me to take a look at what packages/versions we have defined for dependencies and devDependencies in all of our package.json files (see below).

tldr;: we should standardize all of our packages, and probably start using ^ versions by default, since pnpm is going to introduce a lock file. See my Analysis section below for what needs to be found/fixed.

devDependencies

find . -name 'package.json' -not -path "./node_modules/*" -exec cat {} + | jq -s .[].devDependencies | sort
  "@babel/core": "7.14.3",
  "@babel/plugin-transform-runtime": "7.13.15",
  "@babel/preset-env": "7.13.15",
  "@babel/preset-react": "7.13.13",
  "@babel/preset-typescript": "7.16.0",
  "@firebase/rules-unit-testing": "^2.0.1",
  "@mdx-js/loader": "^1.6.22",
  "@mdx-js/mdx": "^1.6.22",
  "@testing-library/react": "^12.1.0",
  "@types/jest": "27.0.2",
  "@types/node": "^16.7.0",
  "@types/react": "^17.0.3",
  "@typescript-eslint/eslint-plugin": "4.17.0",
  "@typescript-eslint/parser": "4.17.0",
  "@vercel/node": "1.9.1",
  "babel-loader": "^8.2.2",
  "babel-preset-next": "1.4.0",
  "cross-env": "7.0.3",
  "del-cli": "^4.0.1",
  "env-cmd": "^10.1.0",
  "env-cmd": "^10.1.0",
  "env-cmd": "^10.1.0",
  "env-cmd": "^10.1.0",
  "eslint": "7.23.0",
  "eslint-config-airbnb": "18.2.1",
  "eslint-config-prettier": "8.1.0",
  "eslint-plugin-import": "2.25.3",
  "eslint-plugin-jest": "25.3.0",
  "eslint-plugin-jest-playwright": "0.2.1",
  "eslint-plugin-jsx-a11y": "6.4.1",
  "eslint-plugin-prettier": "3.4.0",
  "eslint-plugin-promise": "5.1.0",
  "eslint-plugin-react": "7.22.0",
  "eslint-plugin-react-hooks": "4.2.0",
  "fast-xml-parser": "3.19.0",
  "firebase-tools": "^9.9.0",
  "husky": "5.1.3",
  "jest": "27.3.1",
  "jest-fetch-mock": "3.0.3",
  "jest-playwright-preset": "1.7.0",
  "nock": "13.0.11",
  "nodemon": "^2.0.15"
  "nodemon": "^2.0.15"
  "nodemon": "^2.0.15"
  "nodemon": "^2.0.15"
  "nodemon": "^2.0.15"
  "nodemon": "^2.0.15"
  "nodemon": "^2.0.15",
  "npm-run-all": "4.1.5",
  "playwright": "1.11.0",
  "prettier": "2.2.1",
  "pretty-quick": "3.1.0",
  "run.env": "1.1.0",
  "supertest": "6.1.3",
  "supertest": "^6.1.3"
  "supertest": "^6.1.3"
  "terser-webpack-plugin": "^5.1.1",
  "ts-jest": "27.0.7"
  "typescript": "^4.3.5"

Dependencies

find . -name 'package.json' -not -path "./node_modules/*" -exec cat {} + | jq -s .[].dependencies | sort
  "@bull-board/api": "3.6.0",
  "@bull-board/express": "3.7.0",
  "@elastic/elasticsearch": "7.11.0",
  "@elastic/elasticsearch": "^7.11.0",
  "@elastic/elasticsearch": "^7.12.0",
  "@elastic/elasticsearch-mock": "0.3.0",
  "@elastic/elasticsearch-mock": "^0.3.0",
  "@elastic/elasticsearch-mock": "^0.3.0",
  "@fontsource/pt-serif": "^4.2.2",
  "@fontsource/spartan": "^4.2.2",
  "@material-ui/core": "^4.12.3",
  "@material-ui/icons": "^4.11.2",
  "@next/mdx": "^12.0.4",
  "@octokit/webhooks": "^9.15.0",
  "@senecacdot/satellite": "^1.x",
  "@senecacdot/satellite": "^1.x",
  "@senecacdot/satellite": "^1.x",
  "@senecacdot/satellite": "^1.x",
  "@senecacdot/satellite": "^1.x",
  "@senecacdot/satellite": "^1.x",
  "@senecacdot/satellite": "^1.x",
  "@senecacdot/satellite": "^1.x",
  "@senecacdot/satellite": "^1.x",
  "@senecacdot/satellite": "^1.x",
  "@types/smoothscroll-polyfill": "^0.3.1",
  "@types/yup": "^0.29.11",
  "@wordpress/wordcount": "2.15.0",
  "babel-jest": "27.3.1",
  "bull": "3.20.1",
  "bull": "^3.22.0",
  "bull-board": "^2.1.3",
  "celebrate": "^15.0.0",
  "celebrate": "^15.0.0",
  "celebrate": "^15.0.0",
  "cheerio": "^1.0.0-rc.5",
  "clean-whitespace": "0.1.2",
  "connect-redis": "5.1.0",
  "connect-redis": "^6.0.0",
  "cors": "2.8.5",
  "date-fns": "2.19.0",
  "date-fns": "^2.24.0",
  "docker-compose": "0.23.6",
  "dotenv": "8.2.0",
  "dotenv": "^10.0.0",
  "dotenv": "^10.0.0",
  "entities": "2.2.0",
  "express": "4.17.1",
  "express": "^4.17.1",
  "express": "^4.17.1",
  "express-handlebars": "^5.3.4"
  "express-healthcheck": "0.1.0",
  "express-pino-logger": "6.0.0",
  "express-session": "1.17.1",
  "express-session": "^1.17.1",
  "express-validator": "6.10.0",
  "express-validator": "^6.10.0",
  "express-validator": "^6.9.2"
  "feed": "4.2.2",
  "firebase-admin": "^10.0.0",
  "formik": "^2.2.6",
  "got": "^11.8.1"
  "got": "^11.8.1",
  "helmet": "4.4.1",
  "highlight.js": "11.3.1",
  "highlight.js": "11.3.1",
  "http-link-header": "^1.0.3"
  "http-proxy-middleware": "1.0.6",
  "ioredis": "4.26.0",
  "ioredis": "^4.25.0",
  "ioredis-mock": "5.5.5",
  "ioredis-mock": "^5.4.1",
  "jsdom": "16.5.1",
  "jsdom": "^16.5.2",
  "jsdom": "^18.0.0",
  "jsdom": "^18.0.1",
  "jsonwebtoken": "^8.5.1",
  "jwt-decode": "^3.1.2",
  "merge-stream": "^2.0.0",
  "minimatch": "^3.0.4",
  "nanoid": "^3.1.22",
  "next": "^12.0.4",
  "next-compose-plugins": "^2.2.1",
  "next-pwa": "^5.4.1",
  "node-fetch": "2.6.1",
  "node-fetch": "^2.6.1"
  "normalize-url": "6.0.1",
  "normalize-url": "^6.0.1"
  "normalize-url": "^6.0.1",
  "opml-generator": "1.1.1",
  "passport": "0.4.1",
  "passport": "^0.5.0",
  "passport-saml": "3.1.2",
  "passport-saml": "^3.1.2"
  "pino": "7.3.0",
  "pino-elasticsearch": "6.2.0",
  "pino-pretty": "7.2.0",
  "pm2": "^5.1.1",
  "react": "^17.0.2",
  "react-dom": "^17.0.2",
  "react-icons": "^4.3.1",
  "react-transition-group": "^4.4.2",
  "react-use": "^17.2.1",
  "rss-parser": "3.12.0",
  "rss-parser": "^3.12.0"
  "sanitize-html": "2.3.2",
  "sass": "^1.43.5"
  "set-interval-async": "2.0.3",
  "sharp": "^0.29.3"
  "shelljs": "^0.8.4"
  "smoothscroll-polyfill": "^0.4.4",
  "stoppable": "1.1.0"
  "swr": "^1.0.0",
  "yup": "^0.32.9"

Analysis

Looking at these, I notice that we are defining multiple versions of the same dependencies, sometimes with pinned versions, and sometimes with caret (^) versions, which will pull in newer versions if available:

  "supertest": "6.1.3",
  "supertest": "^6.1.3"

  "@elastic/elasticsearch": "7.11.0",
  "@elastic/elasticsearch": "^7.11.0",
  "@elastic/elasticsearch": "^7.12.0",

  "@elastic/elasticsearch-mock": "0.3.0",
  "@elastic/elasticsearch-mock": "^0.3.0",

  "bull": "3.20.1",
  "bull": "^3.22.0",

  "connect-redis": "5.1.0",
  "connect-redis": "^6.0.0",

  "date-fns": "2.19.0",
  "date-fns": "^2.24.0",

  "dotenv": "8.2.0",
  "dotenv": "^10.0.0",

  "express": "4.17.1",
  "express": "^4.17.1",

  "express-session": "1.17.1",
  "express-session": "^1.17.1",

  "express-validator": "6.10.0",
  "express-validator": "^6.10.0",
  "express-validator": "^6.9.2"

  "ioredis": "4.26.0",
  "ioredis": "^4.25.0",

  "ioredis-mock": "5.5.5",
  "ioredis-mock": "^5.4.1",

  "jsdom": "16.5.1",
  "jsdom": "^16.5.2",
  "jsdom": "^18.0.0",
  "jsdom": "^18.0.1",

  "node-fetch": "2.6.1",
  "node-fetch": "^2.6.1"

  "normalize-url": "6.0.1",
  "normalize-url": "^6.0.1"

  "passport": "0.4.1",
  "passport": "^0.5.0",

  "passport-saml": "3.1.2",
  "passport-saml": "^3.1.2"

  "rss-parser": "3.12.0",
  "rss-parser": "^3.12.0"

[HyperTHD]

So are we re-introducing lock files with the switch to pnpm? Hoping this actually ends up benefiting unlike the lock files with npm

[humphd]

We're thinking to try and see how it goes. Right now we have an odd mix of pinned and un-pinned versions, so it's a mess (see above). The lock files will help a ton in CI and deployment especially.