Managing dependencies

Keeping dependencies up-to-date is crucial for stability and security, as well as keeping your package.json dependencies clean and up-to-date. Please carefully learn and follow the principles below.

Yarn configuration

We use Yarn on top of npm to manage dependencies. Your project should contain a yarnrc.yml file at its root, with the following settings:

enableTelemetry: false
nodeLink: node-modules

Don't use Yarn v1!

Be careful to not remove the "packageManager": "yarn@X.Y.Z" setting from your package.json file, otherwise you will revert to using Yarn v1, which is an outdated version.

You can adjust the Yarn configuration to your needs, be please:

• Don't enable caching
• Don't use PNP—although this may change in the future. We can't use it for now because of some incompatible dependencies.

Adding dependencies

There are different types of dependencies that have an impact on our consumers when they install our packages.

• Think carefully when you add a dependency: is it a regular dependency (yarn add ...) or a dev dependency (yarn add --dev ...)?

• Run yarn install and carefully review and fix the unmet peer dependencies.

  Note

  There are legitimate cases where it's okay not to provide some peer dependencies (ex: a dev tool you don't use in your specific context).

• Commit your yarn.lock file.

Pinning dependencies

First, learn and understand the SemVer ranges and dependency pinning concepts.

Then follow the rules we have defined for the Quartz ecosystem:

Do not pin regular dependencies

Except when:

• using a beta version (ex: @quartzds/se-tokens@1.0.0-beta.25)
• the dependency does not follow SemVer practices (ex: typescript, rxjs)
• required by a specific package (ex: Angular is quite constraining with typescript and rxjs versions)

Always pin dev dependencies

Updating dependencies

We use the Mend Renovate App in our CI workflows to catch necessary updates and generate PRs. Renovate will automatically merge some PRs when the CI runs successfully.

Regularly review and merge Renovate's PRs

Rather than manually updating the dependencies. If you do so, use the chore: update dependencies commit message.

When updating a dependency, don't forget to:

• thoroughly test your code when upgrading a major version of a dependency
• review the peer dependencies requirements, as they evolve with versions

Avoiding duplicate dependencies

Because Yarn ensures deterministic installs, there can sometimes be multiple versions of the same dependency installed, increasing the size of your package. This is true for all projects, including monorepos (see below).

Run yarn dedupe regularly

The yarn dedupe command will automatically review and optimize duplicate versions of dependencies.

Keep dependencies up-to-date

Monitor Renovate's PRs that need your attention, and review your dependencies regularly:

• Check unmet peer dependencies
• Reassess dependency types (dev or regular)
• Remove unused dependencies
• Review other constraints (required node version, yarn version, etc.)

Specific rules for monorepos

Many repositories of Quartz are organized as monorepos. For example:

• component libraries generate packages for several frameworks
• brand repositories generate packages for their design tokens, assets, fonts, and icon libraries

Yarn has strong support for monorepos through its workspaces feature. Make sure you read and understand how they work.

Because their nature, monorepos have a different organization of dependencies:

• shared dependencies go in the root package.json when possible
• individual workspace's package.json contain only:
  • dev dependencies required by the scripts
  • regular or dev dependencies specific to that package
  • peer dependencies required by a 3rd-party library (ex: angular)

Tip

There should not be packages/*/node_modules folders created when running yarn install.

This happens when different versions of the same dependency are used in different workspaces.