Oscillating package-lock.json due to npm version upgrade to v7

[SudharakaP]

Describe the bug

This has been an issue I saw for a while where the package-lock.json file changes depending on the node/npm version that you use. An example would be the recent PR; https://github.com/opencollective/opencollective-frontend/pull/6155/files. The problem started when I think when some people in the @opencollective/core team started using npm v7 whereas others have npm v6.

Now, note that npm v7 has major upgrades to the package-lock.json **file and uses the lockfileVersion=2. However when someone executes npm i using npm v6 then the package-lock.json file is downgraded to v1. This can be annoying as the package lock file will keep oscillating on which npm version people use.

Current LTS release of node (v14.16.1) ships with npm v6. And therefore my thinking is that we should not upgrade the npm version to v7; especially since we are keeping the node version at v14 as our supported version (same applies for api layer).

Thinking further I propose the following solution both for the front-end and api layer. We should make sure people use node 14.x and npm version 6.x and this should be strict (using the engine-strict=true on .npmrc file). One day when node 15.x becomes LTS we should have a task to migrate our package-lock.json file to version 2 or 3. 😄

Let me know your thoughts of if you disagree with this. 😄

Expected behavior

Whenever a developer executes npm i the package-lock.json version (lockfileVersion) should stay the same regardless of what kinda node or npm version they use as long as it falls within our supported Nodejs versions.

[SudharakaP]

I've proposed two PRs for this, just to remind if we decide to go forward with this, probably we need to make an announcement in discussions or teams maybe sections so that people know beforehand although I think the error that they will get (if they are using npm v7) is quite self explanatory; 🤔

npm ERR! code EBADENGINE
npm ERR! engine Unsupported engine
npm ERR! engine Not compatible with your version of node/npm: opencollective-frontend@2.2.0
npm ERR! notsup Not compatible with your version of node/npm: opencollective-frontend@2.2.0
npm ERR! notsup Required: {"node":"14.x","npm":"6.x"}
npm ERR! notsup Actual:   {"npm":"7.7.6","node":"v15.14.0"}

[znarf]

Good stuff, I faced the issue recently:
https://opencollective.slack.com/archives/CEZUS9WH3/p1616517051003500

[Betree]

The massive diffs on package-lock generated by this mismatch are polluting the Git history. Thanks for taking the time to look into it!

[SudharakaP]

Good stuff, I faced the issue recently:
https://opencollective.slack.com/archives/CEZUS9WH3/p1616517051003500

Ah, I didn't know it was already recorded on Slack; was always wondering why my package-lock.json keeps changing. 😄

The massive diffs on package-lock generated by this mismatch are polluting the Git history. Thanks for taking the time to look into it!

You are welcome. 😄

[lalomartins]

One day when node 15.x becomes LTS we should have a task to migrate our package-lock.json file to version 2 or 3. 😄

LTS is now 16.x, in a few weeks it will be 18.x, so here's a reminder to create this task(s) 😸 not that the upgrade is urgent, but it's good to have the task, and besides in my experience the new version of the package lock is actually more useful.

[znarf]

We're usually happy to upgrade our node version to latest or latest LTS, but we always need to wait that Heroku and Vercel supports it.

16.x is currently blocked for months by Vercel, itself blocked by AWS, a bit sad situation:
opencollective/opencollective-frontend#7103