peerDependencies shouldn't be updated by `lerna publish`

[ianstormtaylor]

Given the following setup and using independent versioning:

packages
| -- foo
| -- bar

// foo/package.json
{
  "version" "0.2.1"
}

// bar/package.json
{
  "peerDependencies": {
    "foo": ">=0.2.0"
  },
  "devDependencies": {
    "foo": "^0.2.1"
  }
}

If you make changes in foo, and run lerna publish (patch)...

1. foo will updated to 0.2.2, as expected.
2. bar's dev dependency on foo will be updated to ^0.2.2, also as expected.
3. But bar's peer depdenncy on foo will be overwritten to ^0.2.2, unexpectedly!

I think the peerDependencies tracking of Lerna should be disabled, since it's impossible for Lerna to know whether a change would have forced a peer dependency upgrade or not.

Peer dependencies should remain as loose as possible, with the absolute earliest accepted version that works, reducing warning noise and increasing interop. With the current logic of forcing a bump with each publish, Lerna forces dependents to upgrade even if there's no need to.

Related to #955

[ljharb]

peer deps should definitely be loose; any peer dep change that removes a valid version is semver-major.

[ianstormtaylor]

Also, I forgot there's another unexpected thing...

Because of the unexpected bump of the peer dependencies, when you make a small change to the "core" package that is peer-depended on, Lerna will think that any packages that have a peer dependency on it have also been "changed", so when you go to publish you'll be publishing changes for every package, instead of just the one you actually changed.

Can any maintainers comment on this?

As far as I can tell, using independent versioning with peerDependencies is impossible without a broken UX for semver...

[evocateur]

I agree that peer dependencies, when used at all, should be as flexible as possible. The current handling of peer dependencies in lerna could use some improvement, definitely.

That said, if you aren't also expressing a dev dependency on a sibling package that you've expressed a peer dependency for, how are you even running your unit tests? Peer dependencies aren't installed by default, after all. (This pattern applies for all peer dependencies, not just lerna siblings)

The "increment version of sibling consumer when a sibling dependency changes" behavior has been discussed in detail several times, but the TL;DR: versions are cheap, it's not a violation of semver to express when dependencies have updated, and it's really not worth worrying about, tbh.

[ljharb]

@evocateur indeed, the best practice is a) for peer dep ranges to be as wide as possible, and b) for dev dep ranges to be identical to the peer dep range.

Updating deps isn't a violation of semver; updating the bottom of the range for peer deps - because it's part of the API of the module - is absolutely semver-major.

airbnb's enzyme recently switched to lerna; and this is a reason we may want to abandon it - it's that important, and decidedly "worth worrying about".

[evocateur]

@ljharb Ah yes, that clarification I agree with, thank you.

Updating deps isn't a violation of semver; updating the bottom of the range for peer deps - because it's part of the API of the module - is absolutely semver-major.

The "worth worrying about" bit was not specifically aimed at peerDependencies, but the penchant for lerna to publish new versions of a dependent when the dependency changes.

In fact, I'm fully on-board the "ignore peerDependencies in lerna publish" boat, at this point. The dev dependency will need to be bumped as before, because that's currently how lerna recognizes a matching sibling that needs a local relative symlink, etc. Does simply abandoning any modification of peerDependencies work for enzyme?

[ljharb]

That's certainly better then the current situation! However, what would be ideal is expanding the existing peer dep range so that it includes the new dev dep version; and separately, it would be ideal to find a way to keep the dev dep matching the peer dep, but that doesn't have to be a blocker.

[ianstormtaylor]

Thanks for the input @evocateur! I'd definitely love the "abandon" approach for a quick solution.

And then later we could get smarter with trying to keep them in sync with the new maximum dev dep. This seems like it's going to be somewhat rare anyways, and easy to fix in a quick patch when you forget, so it's not a big issue like the current setup.

[ljharb]

@ianstormtaylor fwiw it's not rare, it's "every package in the react and eslint ecosystems", plus any other ecosystem that uses peer deps :-)

[ianstormtaylor]

Yeah I guess that's true, I should have expanded.

I'm actually of the opinion that peerDependencies shouldn't be touched at all though, because unless I'm missing something, Lerna will only ever be able to guess at what they should be changed to. If you have many independent packages and you major bump one of the core ones, there's a very good chance that you need to do two different things to peer dependencies:

1. Completely bump them for packages that depend on the new changes.
2. Leave them loose, but include the new major for ones that don't.

It feels like Lerna trying to do anything magical here is just going to complicate the issue. I'd rather just have full control over what is pegged.

Although, regardless it sounds like we're agreed that doing nothing would be a great first step.

[ljharb]

Maybe I should also expand :-)

Let's say the peer dep range is ^4 || ^5, and you're otherwise bumping to v6. The peer dep range must become ^4 || ^5 || ^6 if it's going to retain back compat while also allowing v6. If the range is ~15.3 || ~15.4, and you're otherwise bumping to 15.5, then the range must become ~15.3 || ~15.4 || ~15.5.

What might be a viable alternative beyond doing nothing (indeed a good first step) is an in-terminal UI to allow me to provide a peer dep range, if lerna is unable to confidently come up with one?

[ianstormtaylor]

That makes sense, but my point is that Lerna can't actually know whether a package wants to extend itself to include the new peer dep and retain backwards compat, or whether it wants to start fresh with only the latest version included.

I think trying to do anything magic here is going to end up being wrong more often than it's worth, especially when you consider it across multiple packages.

An in-terminal UI prompt would be great though! It could even just ask you if you want to "extend" or "reset" the peer dep range, potentially without having to ask you to remember the exact ranges to set.

That said, I think we should hold off on that and first just get Lerna to stop touching peer deps.