Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm ci results in modified package-lock.json #426

Closed
stevejpurves opened this issue Jul 24, 2021 · 3 comments
Closed

npm ci results in modified package-lock.json #426

stevejpurves opened this issue Jul 24, 2021 · 3 comments
Labels
bug

Comments

@stevejpurves
Copy link
Collaborator

Describe the problem

npm ci is modifying our package-lock.json, locally and on ci even though this is not documented behavior.

This causes our lint test on CI to fail.

Steps to reproduce.

  • checkout thebe master branch
  • git status shows no local mods
  • npm ci
  • git status shows package-lock.json as modified

Link to your repository or website

No response

Provide steps to reproduce

  • checkout thebe master branch
  • git status shows no local mods
  • npm ci
  • git status shows package-lock.json as modified

Describe your environment.

  • node 15
  • npm 7

The version of Python you're using

3.7

Your operating system

macos

Versions of your packages

No response

Additional context

No response
@stevejpurves
Copy link
Collaborator Author

stevejpurves commented Jul 24, 2021
edited
Loading

SO can't find a bug on the npm repo about this, but some others are experiencing it and it's clearly a problem here.

We have 2 options:

  • remove the git diff step from lint. This only catches this bug in npm! it does not stop someone from unintentionally updating dependencies anyway.
  • or move to yarn as package manager over npm. yarn is better and more robust and an easy upgrade.

I've use yarn consistently for years over npm and would say it's pretty standard, it would require updates to the docs, CI workflows and a single additional global install for people who don't already have it

I'd recommend the second option, which should just solve this and we can move on :) cc @moorepants @choldgraf @minrk

@stevejpurves stevejpurves mentioned this issue Jul 24, 2021
Merged
@moorepants
Copy link
Collaborator

I've experienced this behavior too. It's not clear to me why package-lock.json is ever modified. I thought the purpose of lock files was to stay static unless you explicitly want it changed.

We can remove the git diff command, but I'd couldn't ever determine why it was there in the first place. What was the intended purpose of that command? As you imply, it was just to catch the npm bug?

yarn is fine with me too. We use yarn on our other js packages and I haven't had any issues.

@choldgraf
Copy link
Collaborator

We use yarn in the other JS packages of ebp, I believe, so I'm +1 on using yarn just for the sake of standardizing if anything else

@stevejpurves stevejpurves mentioned this issue Jul 26, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@moorepants @stevejpurves @choldgraf