package-lock.json mismatch

[samelhusseini]

Category

• Plugins

Component

New plugins.

Describe the bug

We sometimes end up with a mismatch between our local package-lock.json version and the one checked in, but the mismatch can only be detected when doing a clean install. This has been a pain point during publishing.

To Reproduce

Looking deeper into this, it appears this happens when we first create a new plugin. We run npm install, which will install all dependencies locally including first-party plugins such as @blockly/dev-tools. When npm run boot is then run on the repo, lerna will remove local plugins from the package.json and those won't be included in the package-lock.json.

In package-lock.json the dependencies are locked. Even though lerna is removing the first party plugins in blockly-samples when installing, npm seems to ignore removing these packages from the package-lock.json.

This may also depend on the version of npm locally installed, see: https://github.com/npm/npm/pull/17508

The more fundamental issue here is that package-lock is meant to represent a lock of package versions so that regardless of an update to a package in the future we would still end up with the same packages installed locally. With lerna removing linked packages before installing, this defeats the purpose for local packages and our package-lock's end up excluding the local packages entirely making them incorrect.

Expected behavior

1. Either don't use package-locks as they're incorrect when lerna creates them
2. Find a way to create valid package-locks.json that works for both npm install and lerna bootstrap

[rachel-fenichel]

After discussion, we decided to use npm ci in our release scripts to avoid writing to package-lock.json during releases.

https://docs.npmjs.com/cli/v7/commands/npm-ci

[maribethb]

This still continues to be a problem and this bug has the most background information, so I'm reopening it.