Support for reproducible builds

[kpine]

Is your feature request related to a problem? Please describe.
The build process currently does not support reproducible builds. This is necessary for some packaging systems, like Nix.

Describe the solution you'd like
Support reproducible builds by updating the package-lock.json file to include integrity and resolved fields.

Describe alternatives you've considered
N/A

Additional context
I am trying to package zwave-js-ui for Nix. However, the build system fails because the lockfile is missing the integrity hashes, which it uses to copy the node modules from a cache store.

I'm not sure how you generated the lock file? When I do the following (from alpine:3.18.4 image), I get something completely different than what currently exists:

/src # node --version
v18.18.2
/src # npm --version
9.6.6

rm -rf node_modules
rm package-lock.json
npm cache clean -f
npm install

Here is the result: kpine@e6a8380

Of course, if you do the same at a different time, the dependent packages may update.

I also noticed the Dockerfile is using npm install. This seems less than ideal as it is possible for npm to update packages? This makes the Docker builds also non-reproducible. Along with the lockfile update, the Dockerfile should probably use npm ci for installation. My understanding is that npm ci will not re-write any packages.

[robertsLando]

I also noticed the Dockerfile is using npm install

yeah it does but when doing releases that line is not triggered as it will re-use node_modules from the previous action step, I did this to optimize the build. Anyway for consistency that could be converted to npm ci :)

zwave-js-ui/.github/workflows/docker-release.yml

Lines 78 to 81 in f499d5b

	- name: Pre-build frontend and backend files
	run: |
	npm ci
	npm run build

I sincerly have no clue why my package-lock is missing those declaration. I'm using nodejs 20.8.0 with npm 10.1.0. Let me investigate

[robertsLando]

Ok seems a known bug: npm/cli#4263