Freeze the versions of all nodejs dependencies.

Freeze the versions of all nodejs dependencies.

Add a generated npm-shrinkwrap.json file that freezes the current versions
of all nodejs dependecies, even the recursive ones.

Update the package.json file keeping the currently fixed package versions.
Also remove the misleading "engines" entry (see
<https://npmjs.org/doc/json.html#engines>), and remove the useless distinction
between "dependencies" and "devDependencies" (see
<https://npmjs.org/doc/json.html#devDependencies>).

Add a documentation section, "Updating the nodejs dependencies" at the
bottom of the docs/hacking.rst file, explaining how this works and how to
update dependencies to new versions. Please check that the whole thing is
understandable and workable: you will use this stuff, after all. :-)

Sorry for the change size: it's mainly due to the 1k+ lines of the generated
npm-shrinkwrap.json file. No need to go over that one, just look at the
changes in the docs/hacking.rst and package.json files.

https://code.launchpad.net/~teknico/juju-gui/harden-npm-dependencies/+merge/158659

(do not edit description out of merge proposal)

[teknico, 2013-04-12 15:57:53]

Please take a look.

[gary.poster, 2013-04-12 22:02:20]

LGTM.  I tried this in the charm (PyJuju) and it worked great.  Thank you!

Gary

https://codereview.appspot.com/8714043/diff/1/package.json
File package.json (left):

https://codereview.appspot.com/8714043/diff/1/package.json#oldcode17
package.json:17: "devDependencies": {
I still think that collapsing dependencies and devDependencies makes sense. 
Thank you.

https://codereview.appspot.com/8714043/diff/1/package.json
File package.json (right):

https://codereview.appspot.com/8714043/diff/1/package.json#newcode13
package.json:13: "d3": "~2.10.3",
Why don't we keep the values we had before, instead?  They were working pretty
well for us, and now the shrinkwrap actually hardens.  Perhaps this is a
misunderstanding--I only intended to suggest that we nail down our dependencies
when we didn't have the shrinkwrap functionality.

[teknico, 2013-04-15 10:09:08]

Thanks for the review. No remarks on the docs?

https://codereview.appspot.com/8714043/diff/1/package.json
File package.json (left):

https://codereview.appspot.com/8714043/diff/1/package.json#oldcode17
package.json:17: "devDependencies": {
gary.poster wrote:
> I still think that collapsing dependencies and devDependencies
> makes sense.  Thank you.

That's good. :-)

https://codereview.appspot.com/8714043/diff/1/package.json
File package.json (right):

https://codereview.appspot.com/8714043/diff/1/package.json#newcode13
package.json:13: "d3": "~2.10.3",
gary.poster wrote:
> Why don't we keep the values we had before, instead?
> They were working pretty well for us, and now the
> shrinkwrap actually hardens.  Perhaps this is a
> misunderstanding--I only intended to suggest that we
> nail down our dependencies when we didn't have the
> shrinkwrap functionality.

Yes, it makes sense, I'm reverting most of these changes.

[teknico, 2013-04-15 10:15:14]

Please take a look.

[frankban, 2013-04-15 10:44:02]

LGTM, see just a minor below.
Thank you.

https://codereview.appspot.com/8714043/diff/5001/HACKING
File HACKING (right):

https://codereview.appspot.com/8714043/diff/5001/HACKING#newcode57
HACKING:57: sudo apt-get install nodejs imagemagick lbox python-sphinx
python-yaml python-tz \
I know this preexisted, but, while you are here, you could wrap this line at 80?

https://codereview.appspot.com/8714043/diff/5001/HACKING#newcode423
HACKING:423: 4) check that everything works well;
Very clear.

https://codereview.appspot.com/8714043/diff/5001/package.json
File package.json (right):

https://codereview.appspot.com/8714043/diff/5001/package.json#newcode9
package.json:9: "url": "lp:juju-gui"
Thank you!

[teknico, 2013-04-15 10:49:21]

https://codereview.appspot.com/8714043/diff/5001/HACKING
File HACKING (right):

https://codereview.appspot.com/8714043/diff/5001/HACKING#newcode57
HACKING:57: sudo apt-get install nodejs imagemagick lbox python-sphinx
python-yaml python-tz \
frankban wrote:
> I know this preexisted, but, while you are here,
> you could wrap this line at 80?

Oh right, doing it, thanks.

[teknico, 2013-04-15 11:24:29]

*** Submitted:

Freeze the versions of all nodejs dependencies.

Add a generated npm-shrinkwrap.json file that freezes the current versions
of all nodejs dependecies, even the recursive ones.

Update the package.json file keeping the currently fixed package versions.
Also remove the misleading "engines" entry (see
<https://npmjs.org/doc/json.html#engines>), and remove the useless distinction
between "dependencies" and "devDependencies" (see
<https://npmjs.org/doc/json.html#devDependencies>).

Add a documentation section, "Updating the nodejs dependencies" at the
bottom of the docs/hacking.rst file, explaining how this works and how to
update dependencies to new versions. Please check that the whole thing is
understandable and workable: you will use this stuff, after all. :-)

Sorry for the change size: it's mainly due to the 1k+ lines of the generated
npm-shrinkwrap.json file. No need to go over that one, just look at the
changes in the docs/hacking.rst and package.json files.

R=gary.poster, frankban
CC=
https://codereview.appspot.com/8714043