New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Commit package-lock.json #186
Comments
This is deliberately not done. Because package-lock.json cannot be published, it is only of use at development time – and I would rather let versions float so nightly CI runs can identify problems as early as possible. https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json |
Can't the CI script delete
Those docs recommend committing |
I explained why I don't: it provides no benefit and creates some drawbacks (as I see things). |
It does provide benefits for reproducably building markdownlint-cli2 for use by e.g. Linux distributions. |
I haven't heard from anyone trying to do that so far. In terms of users who want reproducibility, the Docker container image is far more comprehensive as it locks the version of this package, all dependencies, the Node runtime, all its dependencies, all the way up to the OS itself. |
I would add markdown-cli2 to NixOS if it had a
But if you use the Dockerfile on two different machines at slightly different times you might get different versions of the dependencies. |
Interesting! Does NixOS have a history of including Node tools? Can you point me at some examples? Regarding Docker, I said the container image offers reproducibility. I agree that building the image again from source at a different time may yield different results. But someone can use the same container images everywhere and get identical results. |
See for example https://github.com/NixOS/nixpkgs/pull/246155/files#diff-8e7402220a1ea5eb3dab0c71855741c7f6468c246b9a19a443a67494e51b2e77 for markdownlint-cli. |
It looks like markdownlint-cli2 is already available in NixOS? |
Indeed, but using an old method for packaging JS things. I was trying to bring it up to date. |
Is https://docs.npmjs.com/cli/v9/configuring-npm/npm-shrinkwrap-json acceptable as an alternative? It seems better suited for the goal of reproduceability anyway. Specifically, while lock applies only at development time and allows run time to float and cause problems, shrinkwrap seems to apply to both scenarios and should therefore provide consistency. |
Yes, that also works. |
This change will be part of the next release. I still don't think I believe in package-lock, but shrinkwrap seems to fit with my way of thinking and offer the guarantee you want. Thanks for bringing this up! |
…s cross-platform install problems that are difficult to detect and avoid (refs #186).
FYI, I have reverted this change for |
FYI, I captured my notes here historical purposes and possible future reference: https://gist.github.com/DavidAnson/39b0eed160f7ce481c92e24a651b5d6f |
Since this is not a library its
package-lock.json
should be tracked by git.The text was updated successfully, but these errors were encountered: