How to avoid Meteor accounts dependency hell?

I just tried to upgrade my Meteor app from 2.2.1 to the latest 2.5.6. However, I get stuck in Meteor’s accounts dependency hell. Some abandoned packages seem to “pin” accounts-base to an 1.x version, which prevents Meteor from updgrading it to accounts-base@2.2.1.

I do not really understand why this happens, since all of these packages do not set a specific accounts-base version. They just call api.use('accounts-base'). What Meteor magic makes them pin the package to 1.x then? I assume the culprit are the api.versionsFrom calls, which explicitly state Meteor 1.x. But why would versionsFrom pin a package in the first place? I would expect that any newer version is valid.

Is there any way out of this dependency hell, if the packages themselves are not maintained anymore? I know that I can create a local copy of them and patch them. But would it be safe to just tweak the versionsFrom setting?

Is there any description about how the whole package dependency resolution mechanism works? It seems to be pretty weird to me.

=> Errors while initializing project:         
                                              
While selecting package versions:
error: Conflict: Constraint accounts-base@1.2.8 is not satisfied by accounts-base 2.2.1.
Constraints on package "accounts-base":
* accounts-base@~2.2.1 <- top level
* accounts-base@2.2.0 <- accounts-password 2.2.0
* accounts-base@2.2.0 <- service-configuration 1.3.0 <- accounts-base 2.2.1 <- accounts-facebook 1.3.3
* accounts-base@2.2.0 <- service-configuration 1.3.0 <- meteoreact:accounts 1.2.4_1
* accounts-base@1.4.2 || 2.0.0 <- meteoreact:accounts 1.2.4_1
* accounts-base@1.2.8 <- loren:login-links 0.1.3
* accounts-base@1.9.0 || 2.0.0 <- alanning:roles 1.3.0
* accounts-base@1.4.3 <- quave:accounts-apple 1.1.3
* accounts-base@2.1.0 <- accounts-oauth 1.4.0 <- accounts-facebook 1.3.3
* accounts-base@1.4.3 <- quave:apple-oauth 1.4.2 <- quave:accounts-apple 1.1.3
* accounts-base@2.0.0 <- accounts-facebook 1.3.3
* accounts-base@1.2.14 <- bozhao:link-accounts 2.2.1
* accounts-base@2.0.0 <- accounts-google 1.4.0

Conflict: Constraint accounts-base@1.4.3 is not satisfied by accounts-base 2.2.1.
Constraints on package "accounts-base":
* accounts-base@~2.2.1 <- top level
* accounts-base@2.2.0 <- accounts-password 2.2.0
* accounts-base@2.2.0 <- service-configuration 1.3.0 <- accounts-base 2.2.1 <- accounts-facebook 1.3.3
* accounts-base@2.2.0 <- service-configuration 1.3.0 <- meteoreact:accounts 1.2.4_1
* accounts-base@1.4.2 || 2.0.0 <- meteoreact:accounts 1.2.4_1
* accounts-base@1.2.8 <- loren:login-links 0.1.3
* accounts-base@1.9.0 || 2.0.0 <- alanning:roles 1.3.0
* accounts-base@1.4.3 <- quave:accounts-apple 1.1.3
* accounts-base@2.1.0 <- accounts-oauth 1.4.0 <- accounts-facebook 1.3.3
* accounts-base@1.4.3 <- quave:apple-oauth 1.4.2 <- quave:accounts-apple 1.1.3
* accounts-base@2.0.0 <- accounts-facebook 1.3.3
* accounts-base@1.2.14 <- bozhao:link-accounts 2.2.1
* accounts-base@2.0.0 <- accounts-google 1.4.0

Conflict: Constraint oauth@1.2.8 is not satisfied by oauth 2.1.1.
Constraints on package "oauth":
* oauth@~2.1.1 <- top level
* oauth@2.1.0 <- accounts-oauth 1.4.0 <- accounts-facebook 1.3.3
* oauth@1.2.8 <- quave:apple-oauth 1.4.2 <- quave:accounts-apple 1.1.3
* oauth@2.0.0 <- oauth2 1.3.1 <- facebook-oauth 1.10.0 <- accounts-facebook 1.3.3
* oauth@2.1.0 <- facebook-oauth 1.10.0 <- accounts-facebook 1.3.3
* oauth@1.1.13 <- bozhao:link-accounts 2.2.1
* oauth@2.0.0 <- google-oauth 1.4.1 <- accounts-google 1.4.0

Conflict: Constraint oauth@1.1.13 is not satisfied by oauth 2.1.1.
Constraints on package "oauth":
* oauth@~2.1.1 <- top level
* oauth@2.1.0 <- accounts-oauth 1.4.0 <- accounts-facebook 1.3.3
* oauth@1.2.8 <- quave:apple-oauth 1.4.2 <- quave:accounts-apple 1.1.3
* oauth@2.0.0 <- oauth2 1.3.1 <- facebook-oauth 1.10.0 <- accounts-facebook 1.3.3
* oauth@2.1.0 <- facebook-oauth 1.10.0 <- accounts-facebook 1.3.3
* oauth@1.1.13 <- bozhao:link-accounts 2.2.1
* oauth@2.0.0 <- google-oauth 1.4.1 <- accounts-google 1.4.0

Conflict: Constraint accounts-base@1.2.14 is not satisfied by accounts-base 2.2.1.
Constraints on package "accounts-base":
* accounts-base@~2.2.1 <- top level
* accounts-base@2.2.0 <- accounts-password 2.2.0
* accounts-base@2.2.0 <- service-configuration 1.3.0 <- accounts-base 2.2.1 <- accounts-facebook 1.3.3
* accounts-base@2.2.0 <- service-configuration 1.3.0 <- meteoreact:accounts 1.2.4_1
* accounts-base@1.4.2 || 2.0.0 <- meteoreact:accounts 1.2.4_1
* accounts-base@1.2.8 <- loren:login-links 0.1.3
* accounts-base@1.9.0 || 2.0.0 <- alanning:roles 1.3.0
* accounts-base@1.4.3 <- quave:accounts-apple 1.1.3
* accounts-base@2.1.0 <- accounts-oauth 1.4.0 <- accounts-facebook 1.3.3
* accounts-base@1.4.3 <- quave:apple-oauth 1.4.2 <- quave:accounts-apple 1.1.3
* accounts-base@2.0.0 <- accounts-facebook 1.3.3
* accounts-base@1.2.14 <- bozhao:link-accounts 2.2.1
* accounts-base@2.0.0 <- accounts-google 1.4.0

I’ve been stuck on 2.3 for longest time bc of this issue too

We got around this issue by cloning the offending packages, however I believe you can also get around it by specifying @= instead of @ in your packages file. Note that even if this does work, if they depend on deprecated functionality, you’ll still have trouble

Thanks. Yes, I also worked around this by cloning the packages and setting the versionFrom flag in all of them. However, how do I actually know if this is working or if there are any side-effects? According to the Meteor 2.3 docs, they removed logoutOtherClients and changed a token name. It’s not very likely that these features have been used by these packages, but you never know. This kind of breaking changes cause more trouble than they do good, IMHO.

Hi - I am stuck in 2.2.4 completely in dependency hell and cannot even get into 2.3 - any suggestions on how to make meteor upgrade to 2.3+

• Update Node
• Have tried fixing version in .meteor/packages file (using @=)
• removed versions from my custom packages with dependencies
• any suggestions of things to try?

The only solution I found was to

1. Have a close look which packages pin down another package to a certain, incompatible version (you can see this in the dependency log that shows up if there’s a problem). You have to look at the version that Meteor complains to be incompatible in the first lines, and then in the detailed overview which package causes the pindown to exact this version.
2. Clone these packages from Github to a local /packages folder (ideally as sub-modules), and add patch the versionFrom function call, so it includes Meteor 2.3 as well, e.g.: api.versionsFrom(['1.12', '2.3']) (where 1.2 was the version the package originally referenced). Of course, you have no insurance that the package will actually work with the breaking changes Meteor 2.3 introduced (which are mostly relevant if the package is using rawCollection). And you decouple your app from future updates of the package this way (which is why I actually are using git submodules instead of a pure copy). But at least it should resolve the dependencies now.

Thanks @waldgeist - I have unpinned dependency versions in the packages and it is still calling calling the wrong dependency versions - but I will take a much closer look to set the latest versions at every package.

If you’re like me, you’ve been there before - you’ve created an amazing Meteor app, only to find that you’re totally reliant on your accounts-provided user authentication for anything and everything. It’s frustrating, to say the least. Not only do you have to worry about users signing in and out, but you also have to make sure your app stays up and running even when Meteor’s accounts service is having issues. Fortunately, there are a few things you can do to make your life a bit easier.

This sounds like you’re starting to write an article…?

I would happily read the rest of it!

thank you for this good response you are happy to read this.

I’m confused. You have linked to some accounting/consulting site?