-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Build should error if package.json and package-lock.json are out of sync #132
Comments
Would it be appropriate to just warn the user through build output that their app may be out of date. So we could take a checksum of |
I think a warning here is too subtle. Several users have already reported bugs that had this root issue. It gets reported as "the buildpack isn't updating my dependency" and then we discover that the |
From what I can see of the npm-ci docs,
So I think if the
|
The buildpack doesn't realize that it needs to run
npm install
instead ofnpm ci
in the situation where the developer has forgotten to update theirpackage-lock.json
file.Replication steps
package.json
npm install --package-lock-only
in the source directorypack build myapp --buildpack gcr.io/paketo-buildpacks/nodejs
. You should see logs like the following:docker run -it myapp
. You should see that it cannot find thechalk
command as that was in thedevDependencies
section of ourpackage.json
.package.json
to move thechalk-cli
fromdevDependencies
todependencies
. This should make it so that it is available on the$PATH
and callable in our start command.pack build myapp --buildpack gcr.io/paketo-buildpacks/nodejs
. NOTE: we did not update thepackage-lock.json
. Also note in the logs that thenode_modules
layer is reused. You should see logs like the following:docker run -it myapp
and confirm that thechalk
command is still not found on the$PATH
:npm install --package-lock-only
in the source directory. This will update thepackage-lock.json
file.pack build myapp --buildpack gcr.io/paketo-buildpacks/nodejs
and see the following logs, noting that thenode_modules
layer is rebuilt this time:docker run -it myapp
one last time, seeing the following output:Proposal
The buildpack should fail the build if the
package.json
has been updated without thepackage-lock.json
also being updated. The buildpack should detect this situation and show a reasonable error message to the user suggesting that they may need to runnpm install --package-lock-only
in order to update theirpackage-lock.json
file. It looks like this is at least impacts thenpm ci
build process, but it may also impact other build processes. We should ensure we have coverage of this case for all chosen build processes if applicable.The text was updated successfully, but these errors were encountered: