np icon indicating copy to clipboard operation
np copied to clipboard

Published 20 hours ago verified publisher icon sindresorhus

Don't use `npm ci` if lockfiles are ignored by git

Open loilo opened this issue 5 years ago • 2 comments
trafficstars

Description

Currently, this tool uses npm ci if a lock file is present, even if that lock file is ignored through a .gitignore file.

Since the main reason for re-installing npm dependencies should be reproducibility (is this assumption right?), npm ci should not be used if the lock file is not ending up in the remote repository (and therefore, in the continuous integration tool of choice).

Steps to reproduce

  1. Create a git repository.
  2. Inside, create a package with npm init.
  3. Create a .gitignore file with these contents: 
    node_modules
package-lock.json
  4. Install a dependency in a slightly outdated version (e.g. npm install [email protected]).
  5. Run np. (At least in theory. In practice, I don't know how to run np without actually trying to publish anything.) It will use npm ci to reinstall dependencies because a lockfile is present.

Expected behavior

np should reinstall npm dependencies using npm install instead of npm ci, because CI environments can't use npm ci either with no package-lock.json available.

Environment

np - 5.2.1 Node.js - 13.3.0 npm - 6.13.1 Git - 2.23.0 OS - macOS 10.14.6

loilo avatar Dec 26 '19 19:12 loilo

@loilo, if you don't need a package-lock.json just create a .npmrc file in the project and add:

package-lock=false

thasmo avatar Apr 02 '20 21:04 thasmo

@thasmo I'm aware of that, thanks for the pointer. 🙂 I'd still say that since np is pretty integrated with git, it should respect .gitignore behavior — everything else seems inconsistent to me.

loilo avatar Apr 02 '20 22:04 loilo

Ignoring lockfiles goes against best practices (and sort of defeats their purpose), it's not worth supporting uncommon practices here

fregante avatar Feb 03 '23 10:02 fregante