-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RRFC] Support installing from only a lock file #717
Comments
A lockfile doesn't have sufficient information. Why would it be valuable to duplicate the information in package.json into the lockfile? It seems like a smarter diffing algorithm would help you here - for example, don't just diff the files, but delete the keys you don't care about, sort the remaining top-level keys, and then diff them. |
A smarter diffing algorithm would definitely be an alternative. It does make it more complicated however as it would necessitate a tool being installed or copy pasted between projects. When you say that the information in a lock file doesn't have sufficient information, what is missing? My understanding was that lock files had everything necessary.
This suggests the need for a package.json are reduced so reducing further might be possible. Thanks for taking the time to read the proposal! |
reducing, not eliminating, is what i read from that. |
After a big more learning and experimenting related to this I have a work around which involves:
Code
The "postinstall": "node -e \"require('node:fs').writeFileSync( 'package-docker.json', JSON.stringify({...require('./package-lock.json').packages[''], overrides: require('./package.json').overrides}, null, 2) );\"" In a more readable format: require("node:fs").writeFileSync(
"package-docker.json",
JSON.stringify(
{
...require("./package-lock.json").packages[""],
overrides: require("./package.json").overrides,
},
null,
2
)
); For step 1 I was able to generate this completely from the The problem with this workaround is that it will most likely break tools like dependabot, renovate or any other tool which only expects |
Motivation ("The Why")
When developing in a docker environment, rebuilding images and installing dependencies can be quite slow. Using best practices it is recommended to have a docker file with the following steps:
Doing it this way ensure that we can skip step 2 if nothing has changed in step 1. Ideally this means that step 1 should only contain the minimum to install the dependencies in step 2.
For npm v9 the minimum needed to be able to install dependencies in a production like setting such as a docker file is both the package.json and package-lock.json.
Relying on package.json has some downsides because it is used for a lot of other configuration:
If any of these change then step 2 of the docker build cannot be skipped.
Example
How
Current Behaviour
Trying to install with only a package-lock.json file present results in the following error:
Desired Behaviour
npm install
should support installing from only a package-lock.jsonnpm ci
should support installing from only a package-lock.json.References
The text was updated successfully, but these errors were encountered: