chore: update all the things

[isaacs]

Some test failures.

./test/build/built-034-nyc-wrap-produce_source_map-handles_stack_traces.js .. 0/1
  nyc > wrap > produce source map > handles stack traces
  not ok expected 'Error: Blarrh\n    at blah (/Users/isaacs/dev/js/nyc/test/fixtures/stack-trace.js:1:1317)\n    at Object.<anonymous> (/Users/isaacs/dev/js/nyc/test/fixtures/stack-trace.js:1:1396)\n    at Module._compile (internal/modules/cjs/loader.js:678:30)\n    at Module._compile (/Users/isaacs/dev/js/nyc/node_modules/source-map-support/source-map-support.js:492:25)\n    at Module.replacementCompile (/Users/isaacs/dev/js/nyc/node_modules/append-transform/index.js:58:13)\n    at module.exports (/Users/isaacs/dev/js/nyc/node_modules/default-require-extensions/js.js:8:9)\n    at Object.<anonymous> (/Users/isaacs/dev/js/nyc/node_modules/append-transform/index.js:62:4)\n    at Module.load (internal/modules/cjs/loader.js:589:32)\n    at tryModuleLoad (internal/modules/cjs/loader.js:528:12)\n    at Function.Module._load (internal/modules/cjs/loader.js:520:3)\n    at Module.require (internal/modules/cjs/loader.js:626:17)\n    at require (internal/modules/cjs/helpers.js:20:18)\n    at Test.<anonymous> (/Users/isaacs/dev/js/nyc/test/src/nyc-tap.js:213:21)\n    at Test.t.test.tt (/Users/isaacs/dev/js/nyc/node_modules/tap/lib/mocha.js:95:20)\n    at bound (domain.js:396:14)\n    at Test.runBound (domain.js:409:12)' to match /stack-trace.js:4:/
    stack: |
      Test.<anonymous> (test/src/nyc-tap.js:214:24)
    at:
      line: 214
      column: 24
      file: test/src/nyc-tap.js
      function: Test.<anonymous>
    type: AssertionError
    showDiff: false
    actual: |-
      Error: Blarrh
          at blah (/Users/isaacs/dev/js/nyc/test/fixtures/stack-trace.js:1:1317)
          at Object.<anonymous> (/Users/isaacs/dev/js/nyc/test/fixtures/stack-trace.js:1:1396)
          at Module._compile (internal/modules/cjs/loader.js:678:30)
          at Module._compile (/Users/isaacs/dev/js/nyc/node_modules/source-map-support/source-map-support.js:492:25)
          at Module.replacementCompile (/Users/isaacs/dev/js/nyc/node_modules/append-transform/index.js:58:13)
          at module.exports (/Users/isaacs/dev/js/nyc/node_modules/default-require-extensions/js.js:8:9)
          at Object.<anonymous> (/Users/isaacs/dev/js/nyc/node_modules/append-transform/index.js:62:4)
          at Module.load (internal/modules/cjs/loader.js:589:32)
          at tryModuleLoad (internal/modules/cjs/loader.js:528:12)
          at Function.Module._load (internal/modules/cjs/loader.js:520:3)
          at Module.require (internal/modules/cjs/loader.js:626:17)
          at require (internal/modules/cjs/helpers.js:20:18)
          at Test.<anonymous> (/Users/isaacs/dev/js/nyc/test/src/nyc-tap.js:213:21)
          at Test.t.test.tt (/Users/isaacs/dev/js/nyc/node_modules/tap/lib/mocha.js:95:20)
          at bound (domain.js:396:14)
          at Test.runBound (domain.js:409:12)
    expected: null
    test: handles stack traces
    source: |
      check().should.match(/stack-trace.js:4:/)

Bail out! # expected 'Error: Blarrh\n    at blah (/Users/isaacs/dev/js/nyc/test/fixtures/stack-trace.js:1:1317)\n    at Object.<anonymous> (/Users/isaacs/dev/js/nyc/test/fixtures/stack-trace.js:1:1396)\n    at Module._compile (internal/modules/cjs/loader.js:678:30)\n    at Module._compile (/Users/isaacs/dev/js/nyc/node_modules/source-map-support/source-map-support.js:492:25)\n    at Module.replacementCompile (/Users/isaacs/dev/js/nyc/node_modules/append-transform/index.js:58:13)\n    at module.exports (/Users/isaacs/dev/js/nyc/node_modules/default-require-extensions/js.js:8:9)\n    at Object.<anonymous> (/Users/isaacs/dev/js/nyc/node_modules/append-transform/index.js:62:4)\n    at Module.load (internal/modules/cjs/loader.js:589:32)\n    at tryModuleLoad (internal/modules/cjs/loader.js:528:12)\n    at Function.Module._load (internal/modules/cjs/loader.js:520:3)\n    at Module.require (internal/modules/cjs/loader.js:626:17)\n    at require (internal/modules/cjs/helpers.js:20:18)\n    at Test.<anonymous> (/Users/isaacs/dev/js/nyc/test/src/nyc-tap.js:213:21)\n    at Test.t.test.tt (/Users/isaacs/dev/js/nyc/node_modules/tap/lib/mocha.js:95:20)\n    at bound (domain.js:396:14)\n    at Test.runBound (domain.js:409:12)' to match /stack-trace.js:4:/

[DanielRuf]

Why is this necessary?

[isaacs]

Because it makes npm faster, enables security auditing, and allows maintainers to track changes to the dependency tree in use during development. npm update works great with it (and faster) to bring everything up to latest and greatest semver. And git conflicts are automatically resolved by npm. There's no reason not to use it, and several reasons to enable it and keep it in source control.

[DanielRuf]

We often use the yarn cache on Travis CI and it just makes it faster with npm ci and this also introduces some overhead in many repos ;-)

[isaacs]

npm ci requires having a package-lock.json file present, so it's pretty important to be able to check it into the repo!

[DanielRuf]

I know =) But we have to manage 2 lockfiles then (which is not always the best solution). Just saw now that you created and founded npm =)

[DanielRuf]

Because @latest would have been 6.0.0 afaik.

Many projects have two lockfiles, use snyp and alternatives and there is a big thread against adding package-lock in libraries (consumers get different or not latest dependencies).

This is what I know so far from the community ;-)

[isaacs]

You mean, they have two files both named package-lock.json in the root of the project? I don't understand how that's even possible, I must be misunderstanding you.

There is no reason to not include package-lock.json in libraries. It's never published, and in practice, it makes debugging the rare issues caused by mismatched dependencies easier, because you can tell what the differences are.

[DanielRuf]

You mean, they have two files both named package-lock.json in the root of the project?

No, yarn.lock + package-lock.json like we have it here now.

[DanielRuf]

See sindresorhus/ama#479 (comment) and other comments regarding packages / libraries (not apps).

[DanielRuf]

And still do not understand the downgrade from npm 6 to npm 5. Oh please enlighten me master =)

[bcoe]

this looks good to me, once tests pass; @DanielRuf once this lands, let's rebase the pull requests you have open against it.

[DanielRuf]

Why 5 instead of 6 in this PR? That's what I've meant. It's basically a downgrade from 6 to 5. Or am I wrong? =)