DEV Community

loading...

Discussion on: So you think you're just gonna `npm install`? Think again

lirantal profile image
Liran Tal Author

No. In no circumstance it would be appropriate to manually edit a lock file. Generally speaking if you need to "fix" a lock file. It's better to use the package manager built-in tooling for it. For example, yarn supports automatic resolution of conflict merge issues that fix the lock file.

If that doesn't help. You can update the lock file by running the install/remove commands using the package manager so that it takes care of updating the lock file for you.

Regardless of this, during CI builds you want to maintain reproducible builds and be strict on what packages you install.

Maybe it wasn't very clear in the post but to provide this as an example:

  1. package.json defines dependency myCoolModule version 1.2.3
  2. lockfile has myCoolModule version 0.0.1

At this point, it doesn't really matter how (1) and (2) are different (whether merge conflict issue, or someone forgot to sync the package.json with the lock file)

  1. if your CI server runs npm install then it would detect that the package lock is out of date and both update it (which means it modifies the git copy it cloned, bad to begin with), and brings in 1.2.3 which is what the package.json defined, but not the lock file. Therefore, making the lock file useless.

Instead, you'd want in your CI to run npm ci which reads the lock file as a source of truth, and will bring you myCoolModule version 0.0.1. If it breaks your tests - all the better, it means that the build stopped you from shipping something you didn't expect.

Hope it's a bit clearer :-)

Thread Thread
the_hme profile image
Brenda 🐱

I see. Thanks for the reply.