Start tracking and using package-lock.json
This merge request starts tracking package-lock.json
and updates gitlab-ci to use npm ci
instead of npm install
I believe this will help us solve some of the issues we occasionally have with unexpected upgrades or breaking changes in our dependencies' dependencies.
package-lock.json
We are currently not tracking package-lock.json
, but it is recommended to track it according to the documentation:
https://docs.npmjs.com/cli/v8/configuring-npm/package-lock-json
""" This file is intended to be committed into source repositories, and serves various purposes:
Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.
Provide a facility for users to "time-travel" to previous states of node_modules without having to commit the directory itself.
Facilitate greater visibility of tree changes through readable source control diffs.
Optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages.
As of npm v7, lockfiles include enough information to gain a complete picture of the package tree, reducing the need to read package.json files, and allowing for significant performance improvements. """
npm ci
The command npm ci
uses only the module versions specified in the package-lock.json file to ensure a repeatable build. npm install
can pick up new dependency versions and change the build even when package.json has not changed. We should therefore be using npm ci
in our continuous integration pipeline. As a bonus npm ci
is much faster than npm install
, so it should speed up the CI pipeline to some degree.