aem-project-archetype
aem-project-archetype copied to clipboard
Consider using `npm ci`
I have noticed that a lot of projects that are built upon this archetype do not switch the npm install -> npm ci. In all cases I have seen, the package is being built by a CI server and the fact that the package lock file is being updated is completely hidden from the user (and is typically running without any oversight anyway). For safety, the package lock file shouldn't be updated without oversight.
It would be helpful if this project included OOTB either
- Always running
npm ci
and the user can manually runnpm install
when needed - Setting the
npm install
->npm ci
and providing a profile that sets it back to install in the case that you actually want to update your dependencies, and want to do that from the maven command instead of npm. - Leaving it as
npm install
but provide a profile that sets it tonpm ci
and give documentation of how/when to enable that profile (i.e. on a CI server).
Expected Behaviour
The package-lock.json
file should be respected and should not use a dependency that does not pass the integrity check
Actual Behaviour
The package-lock.json
is updated when running a maven build
Steps to Reproduce
Build a project using this archetype
Run a normal maven build and confirm that it completes successfully.
Find the package-lock.json
file in the frontend module and modify the integrity of a package
Run the maven build again
See that the package lock file has been updated, and the build has completed successfully despite using a dependency that did not match the integrity declared in the package-lock.json
file.
If feeling ambitious, run it through your CI pipelines and note that it completed with the broken package lock. Enable "CI" mode and run it again and note that the build failed.
References: https://docs.npmjs.com/cli/v7/commands/npm-ci https://github.com/eirslett/frontend-maven-plugin/issues/855