use 'npm ci' instead of 'npm install' for frontend builds

[dianekaplan]

The gocd generated pipelines use 'npm install' rather than 'npm ci', thanks to tubular/scripts/frontend_build.py and frontend_utils- see here: https://github.com/edx/tubular/blob/master/tubular/scripts/frontend_utils.py#L59

'npm ci' is preferable, as it is more strict about reproducing the package versions set in the package-lock.json (whereas 'npm install' blows it away and can use different versions).

Phil Shiu and David Joy have discussed that this should be corrected to npm ci. Logging here for tracking/info, since it affects many MFEs.

[adamstankiewicz]

It may be worth prioritizing the npm install -> npm ci change in tubular at the linked shared above over making the change in CI for each individual MFE (though both are important).

Rationale being if we only change the CI in individual MFEs to run npm ci instead, when a PR merges to master in that MFE and runs through the GoCD build and deploy pipeline, it'll still run npm install before releasing to stage/prod, potentially/theoretically pulling in later node_modules than explicitly defined in the package-lock.json file.

I think it may make sense to tackle tubular first and then the individual MFEs.

[abdullahwaheed]

we are overriding(e.g.) header and footer packages with NPM aliases using edx-internal configuration. Since package-lock.json and package.json will not match with this override, when we'll use npm ci, it would crash!

Ref: https://stackoverflow.com/questions/52499617/what-is-the-difference-between-npm-install-and-npm-ci#answer-53325242

[adamstankiewicz]

@abdullahwaheed I believe only the npm install for the repo's base dependencies should need to be flipped to npm ci (source), whereas the installation of the NPM alias override(s) would stick to using npm install.

The latter install for NPM alias overrides does not read from package.json or package-lock.json; it just installs over whatever default package was installed in package-lock.json for the repo.

Replicating the build process in GoCD locally works without error, e.g.:

npm ci
npm install @edx/brand@npm:@edx/brand-edx.org@2

Technically, that latter install will modify the package-lock.json file, but those changes are local to GoCD during the build + deploy process and never committed back to the repo. We could prevent the latter npm install for the aliases from mutating package-lock.json by including the --no-save argument.

[abdullahwaheed]

@adamstankiewicz thank you for clarification. You are right, i have missed the part where we are using package installation and alias installation separately.

[arbrandes]

What's the current status of this one?

[abdullahwaheed]

Its PR is ready for review

[arbrandes]

Looks like tubular is on its way out from the openedx org. Plus, the PR is merged. Closing.