gradle-node-plugin icon indicating copy to clipboard operation
gradle-node-plugin copied to clipboard

Published 20 hours ago verified publisher icon srs

npm install should be using npm ci

Open tobias- opened this issue 6 years ago • 6 comments

As of NPM 5.7.0 there's a new command for npm called ci which uses the package-lock.json to decide which dependencies to install. A normal npm install will just overwrite package-lock.json with the latest acceptable versions of the dependencies (and their dependencies) and tell the user that X packages has been updated. This is ok-ish for promoted builds, but works poorly where you do a specific production build and expect dependencies to be the same unless someone explicitly updates the dependency-"manifest".

I believe that changing the default behaviour from install to ci would be better in the long run, but it's a major change, creating a flag that toggles between install and ci that defaults to the old behaviour would probably be preferable. Especially since the flag didn't exist until 5.7.0.

tobias- avatar Aug 29 '18 15:08 tobias-

As a workaround, I created manually the npmCi task in the build script:

task npmCi(type: NpmTask) {
    dependsOn npmSetup
    npmCommand = ["ci"]
    inputs.file("package.json")
    inputs.file("package-lock.json")
    outputs.dir("node_modules")
}

bsautel avatar Nov 02 '18 09:11 bsautel

The built-in ci task would be great but implicitly substitute install with ci is wrong, at least it will break projects without package-lock.json.

A normal npm install will just overwrite package-lock.json with the latest acceptable versions of the dependencies (and their dependencies) and tell the user that X packages has been updated.

It's not true.

web-devel avatar Nov 06 '18 13:11 web-devel

I have a proposed solution in a fork. https://github.com/node-gradle/gradle-node-plugin/pull/5

If anyone would like to have a look at it that'd be great!

The idea is to add a task that changes the command of npmInstall. In my case I used npmCi

deepy avatar Dec 14 '18 12:12 deepy

Perhaps a less intrusive solution would be to add a configuration option to node { ... } that would toggle the behavior of the npmInstall task. This could be toggled pretty easily when running in CI. For example, for CircleCI:

node {
  ...
  ci = System.env.CI
}

rafeememon avatar Apr 02 '19 16:04 rafeememon

So is it possible now to use npm ci? If I add another task, implicitely npmInstall will still be triggered, correct?

danielsuter avatar Jul 21 '19 17:07 danielsuter

Yes it is possible. And no, the npm install task is not triggered automatically, at least when you use custom tasks extending NodeTask.

bsautel avatar Jul 22 '19 07:07 bsautel