Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

package-lock.json files getting created after updating npm version #1175

Open
samreid opened this issue Dec 14, 2021 · 12 comments
Open

package-lock.json files getting created after updating npm version #1175

samreid opened this issue Dec 14, 2021 · 12 comments
Assignees

Comments

@samreid
Copy link
Member

samreid commented Dec 14, 2021

Today I updated npm. Build processes are failing because it keeps creating package-lock.json. Following #578 I set npm config set save false but it still created the files. I wanted to make RC.3 for phetsims/circuit-construction-kit-common#796 so I was deleting those files as it created them. But there is hopefully a better way.

@samreid samreid self-assigned this Dec 14, 2021
@samreid
Copy link
Member Author

samreid commented Dec 14, 2021

I observed this is happening with grunt rc but not just npm install or npm update. Not sure why.

@samreid
Copy link
Member Author

samreid commented Dec 14, 2021

@mattpen or @jonathanolson can you help speculate what is happening or how to investigate it? I basically have to keep deleting package-lock.json files during a deploy which is scary.

@samreid samreid assigned mattpen and jonathanolson and unassigned samreid Dec 14, 2021
@samreid
Copy link
Member Author

samreid commented Dec 14, 2021

@mattpen said this may be fixed in a newer version of node.

@samreid samreid self-assigned this Dec 14, 2021
@mattpen
Copy link
Contributor

mattpen commented Dec 14, 2021

@samreid - Please check out @pixelzoom's comments in this issue: #1035. It looks like updating your node version should fix it.

@samreid
Copy link
Member Author

samreid commented Dec 14, 2021

This package has installed:
	•	Node.js v16.13.1 to /usr/local/bin/node
	•	npm v8.1.2 to /usr/local/bin/npm

I'll reopen if there are more problems in the future, thanks!

@samreid samreid closed this as completed Dec 14, 2021
@samreid samreid reopened this Dec 16, 2021
@samreid
Copy link
Member Author

samreid commented Dec 16, 2021

Still happening even for creating dev verisons.

@samreid
Copy link
Member Author

samreid commented Dec 16, 2021

npm config set package-lock false seemed to work, thanks https://codeburst.io/disabling-package-lock-json-6be662f5b97d

@samreid samreid closed this as completed Dec 16, 2021
@zepumph
Copy link
Member

zepumph commented Jan 28, 2025

I believe that we should add in package-lock.json files to our project. This is coming from phetsims/perennial#428, but has come up quite often for the last few years.

It may involve a script that goes to every branch in every repo, runs npm install, and then commits the package-lock.json. But we would start by figuring out what steps we want to do on main.

@zepumph zepumph reopened this Jan 28, 2025
@pixelzoom
Copy link
Contributor

Note that binder and weddell currently have package-lock.json files. It's unclear whether that's intentional, or whether they were accidentally checked in.

@samreid samreid assigned zepumph and unassigned samreid Jan 29, 2025
@zepumph
Copy link
Member

zepumph commented Feb 3, 2025

@zepumph
Copy link
Member

zepumph commented Feb 3, 2025

History:
#578
#114

@zepumph
Copy link
Member

zepumph commented Feb 3, 2025

From conversation with @jonathanolson and @samreid

Benefits:

  • No global settings manipulation
  • Less breakages on release branches
  • installing dependencies takes much less time

Costs:

  • The work to overhaul this
  • older releases will need manual dependency updates more often, since they won't auto pick up maintenance versions.

Notes and follow up questions:

  1. is prune needed before clean-install?
  2. We should use npm clean-install. https://docs.npmjs.com/cli/v9/commands/npm-ci. npm ci hard fails if there isn't a package-lock.
  3. use shrinkwrap instead of package-locks? (SR's chat-gpt recommends package-lock instead of shrinkwrap)

Cases that use npm install:

  • local devs
  • outside devs
  • Documentation
    • Chipper 2.0 doc
    • Getting started guide
    • How to add/update a dependency (committing a package-lock.json)
  • Tooling on main
  • MR process
  • old releases
  • build server
  • rosetta
  • bayes processes
  • CT/aqua

Next steps:
Investigation and testing, then report back for planning. I don't think this can part of my flex time outside of priorities.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants