Commit package-lock.json

[dotlambda]

Since this is not a library its package-lock.json should be tracked by git.

[DavidAnson]

This is deliberately not done. Because package-lock.json cannot be published, it is only of use at development time – and I would rather let versions float so nightly CI runs can identify problems as early as possible.

https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json

[dotlambda]

I would rather let versions float so nightly CI runs can identify problems as early as possible.

Can't the CI script delete package-lock.json before running npm ci?

https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json

Those docs recommend committing package-lock.json.

[DavidAnson]

I explained why I don't: it provides no benefit and creates some drawbacks (as I see things).

[dotlambda]

It does provide benefits for reproducably building markdownlint-cli2 for use by e.g. Linux distributions.

[DavidAnson]

I haven't heard from anyone trying to do that so far. In terms of users who want reproducibility, the Docker container image is far more comprehensive as it locks the version of this package, all dependencies, the Node runtime, all its dependencies, all the way up to the OS itself.

[dotlambda]

I haven't heard from anyone trying to do that so far.

I would add markdown-cli2 to NixOS if it had a package-lock.json.

In terms of users who want reproducibility, the Docker container image is far more comprehensive as it locks the version of this package, all dependencies, the Node runtime, all its dependencies, all the way up to the OS itself.

But if you use the Dockerfile on two different machines at slightly different times you might get different versions of the dependencies.

[DavidAnson]

Interesting! Does NixOS have a history of including Node tools? Can you point me at some examples?

Regarding Docker, I said the container image offers reproducibility. I agree that building the image again from source at a different time may yield different results. But someone can use the same container images everywhere and get identical results.

[dotlambda]

Interesting! Does NixOS have a history of including Node tools? Can you point me at some examples?

See for example https://github.com/NixOS/nixpkgs/pull/246155/files#diff-8e7402220a1ea5eb3dab0c71855741c7f6468c246b9a19a443a67494e51b2e77 for markdownlint-cli.

[DavidAnson]

It looks like markdownlint-cli2 is already available in NixOS?

https://search.nixos.org/packages?channel=23.05&show=nodePackages.markdownlint-cli2&from=0&size=50&sort=relevance&type=packages&query=Markdownlint

[dotlambda]

It looks like markdownlint-cli2 is already available in NixOS?

Indeed, but using an old method for packaging JS things. I was trying to bring it up to date.
See NixOS/nixpkgs#229475.

[DavidAnson]

Is https://docs.npmjs.com/cli/v9/configuring-npm/npm-shrinkwrap-json acceptable as an alternative? It seems better suited for the goal of reproduceability anyway. Specifically, while lock applies only at development time and allows run time to float and cause problems, shrinkwrap seems to apply to both scenarios and should therefore provide consistency.

[dotlambda]

Yes, that also works.

[DavidAnson]

This change will be part of the next release. I still don't think I believe in package-lock, but shrinkwrap seems to fit with my way of thinking and offer the guarantee you want. Thanks for bringing this up!

[DavidAnson]

FYI, I have reverted this change for v0.9.2. Despite spending hours trying to make it work, I could not dependably detect or avoid cross-platform breaks. I will not try this again until I learn of a successful strategy or npm fixes the issues I was hitting. More discussion here: #198. Sorry about that!

[DavidAnson]

FYI, I captured my notes here historical purposes and possible future reference: https://gist.github.com/DavidAnson/39b0eed160f7ce481c92e24a651b5d6f