Consider using `npm ci`

[ky940819]

I have noticed that a lot of projects that are built upon this archetype do not switch the npm install -> npm ci. In all cases I have seen, the package is being built by a CI server and the fact that the package lock file is being updated is completely hidden from the user (and is typically running without any oversight anyway). For safety, the package lock file shouldn't be updated without oversight.

It would be helpful if this project included OOTB either

1. Always running npm ci and the user can manually run npm install when needed
2. Setting the npm install -> npm ci and providing a profile that sets it back to install in the case that you actually want to update your dependencies, and want to do that from the maven command instead of npm.
3. Leaving it as npm install but provide a profile that sets it to npm ci and give documentation of how/when to enable that profile (i.e. on a CI server).

Expected Behaviour

The package-lock.json file should be respected and should not use a dependency that does not pass the integrity check

Actual Behaviour

The package-lock.json is updated when running a maven build

Steps to Reproduce

Build a project using this archetype Run a normal maven build and confirm that it completes successfully. Find the package-lock.json file in the frontend module and modify the integrity of a package Run the maven build again See that the package lock file has been updated, and the build has completed successfully despite using a dependency that did not match the integrity declared in the package-lock.json file.

If feeling ambitious, run it through your CI pipelines and note that it completed with the broken package lock. Enable "CI" mode and run it again and note that the build failed.

References: https://docs.npmjs.com/cli/v7/commands/npm-ci https://github.com/eirslett/frontend-maven-plugin/issues/855