Read the statement by Michael Teeuw here.
Best practice 'package-lock.json' for modules
-
@mumblebaj right it’s good for teams and automated test. but not here.
os at different levels, architectures, node levels.
I test on Jetson nano, odroid the entire pi family, amd64, arm64, lots of different Linux OS es, virtual machines on amd and arm
package-lock is useless and an inhibitor.
modules should NEVER ship it.
-
Wouldn’t that also be a good idea for the core? It would probably make sense to use the same strategy for the core as for the modules.
-
@KristjanESPERANTO well we use it to control the test platforms. but you can’t delete it for clone
-
@KristjanESPERANTO i just did an npm ci in a module folder with no package-lock.json and it complained that it required package-lock.json
pi@raspberrypi5:~/Documents/MagicMirror/modules/MMM-Soliscloud $ npm ci npm ERR! code EUSAGE npm ERR! npm ERR! The `npm ci` command can only install with an existing package-lock.json or npm ERR! npm-shrinkwrap.json with lockfileVersion >= 1. Run an install with npm@5 or npm ERR! later to generate a package-lock.json file, then try again. npm ERR!
-
That’s the point of
npm ci
it takes thepackage-lock.json
to install and it don’t change it. -
well we use it to control the test platforms.
Can you show me where?
-
@KristjanESPERANTO in the npm install on the different test instances. I don’t build those
these are effectively docker images, build and execute, throw away
-
@KristjanESPERANTO said in Best practice 'package-lock.json' for modules:
Can you show me where?
we don’t use
npm ci
but I’m not sure whatnpm install
does ifpackage-lock.json
is present.I do the tests after building my docker images on my own and I always delete
package-lock.json
before runningnpm install
to be sure getting the newest deps. -
@karsten13 package-lock is SUPPOSED to insure installing EXACTLY those versions every time