Timeline for How is a reproducible build guaranteed with version ranges in NPM?
Current License: CC BY-SA 4.0
16 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Aug 18, 2020 at 15:53 | vote | accept | Finlay Weber | ||
| Aug 13, 2020 at 17:52 | comment | added | Jörg W Mittag |
"I see npm install included in travis.yml. I guess they are doing it wrong?" – Why are you automatically assuming that someone who doesn't do it the way in which you think it should be done is doing it wrong? Again, whether or not you want reproducible builds is a choice. Some people want them. Some people don't. Neither of them are "doing it wrong". Whether or not you use version ranges is a choice. Some people use them. Some people don't. Neither of them are "doing it wrong". They're just making a choice that you, personally, disagree with. That doesn't make them wrong, though.
|
|
| Aug 13, 2020 at 17:06 | review | Close votes | |||
| Aug 28, 2020 at 3:06 | |||||
| S Aug 13, 2020 at 16:15 | history | suggested | jonrsharpe | CC BY-SA 4.0 |
Improve language
|
| Aug 13, 2020 at 16:06 | comment | added | jonrsharpe |
npm install is fine if the package-lock.json is compatible package.json. See e.g. stackoverflow.com/a/53594050/3001761. Generally prefer npm ci in CI - it's safer and faster (and is the default in Travis if it's usable).
|
|
| Aug 13, 2020 at 15:50 | comment | added | Finlay Weber |
> "Just don't run the dependency resolver" I think that is the missing piece. And if I am not mistaken, in npm, this will be npm install? npm build on the other hand can be run and the build will use the info in lockfile to execute the build. I did some random search on GH, and I see npm install included in travis.yml. I guess they are doing it wrong? or there is a different command for dependency resolver in npm?
|
|
| Aug 13, 2020 at 15:41 | comment | added | Jörg W Mittag | They are created by the dependency resolver. Just don't run the dependency resolver. Note that if your build process is changing files inside of the repository, you have much bigger problems than worrying about version ranges. | |
| Aug 13, 2020 at 15:41 | comment | added | jonrsharpe |
What's preventing anything else in your version-controlled code from changing on the build server? Hopefully you're just not doing that. Running npm ci for example will not update the lockfile and will bail if it doesn't match the package file.
|
|
| Aug 13, 2020 at 15:39 | answer | added | Jörg W Mittag | timeline score: 3 | |
| Aug 13, 2020 at 15:38 | comment | added | Finlay Weber |
but the yarn.lock or package-lock.json are created from information in package.json what is stopping them from also changing on the build server?
|
|
| Aug 13, 2020 at 15:29 | review | Suggested edits | |||
| S Aug 13, 2020 at 16:15 | |||||
| Aug 13, 2020 at 15:23 | comment | added | jonrsharpe |
With the yarn.lock or package-lock.json, which contains the explicit versions resolved.
|
|
| Aug 13, 2020 at 15:16 | answer | added | Greg Burghardt | timeline score: 2 | |
| Aug 13, 2020 at 15:13 | answer | added | curiousdannii | timeline score: 4 | |
| Aug 13, 2020 at 14:32 | review | First posts | |||
| Aug 17, 2020 at 16:35 | |||||
| Aug 13, 2020 at 14:28 | history | asked | Finlay Weber | CC BY-SA 4.0 |