Closed phillipbarron closed 1 year ago
Could I suggest using npm ci
over npm i
to install dependencies during CI.
With npm ci
, the build would fail if the package-lock.json
is out of date/sync:
- If dependencies in the package lock do not match those in package.json, npm ci will exit with an error, instead of updating the package lock.
That is, using npm ci
would eliminate the need for similar PRs in future.
yarn
has a similar feature via the --frozen-lockfile
flag.
Could I suggest using
npm ci
overnpm i
to install dependencies during CI.With
npm ci
, the build would fail if thepackage-lock.json
is out of date/sync:
- If dependencies in the package lock do not match those in package.json, npm ci will exit with an error, instead of updating the package lock.
That is, using
npm ci
would eliminate the need for similar PRs in future.
yarn
has a similar feature via the--frozen-lockfile
flag.
Great idea, yep, cheers @akash1810
The Snyk workflow runs against main so a PR to main can fail post merge - might be sensible to change this bahaviour so we can tell ahead of merge if there is an issue. This PR updates the Package-lock in the client package to resolve the Snyk issue
Edit - I have read through some of the Snyk docs and see that it's only possible to point at a single branch. That would work it we used a develop branch which we then merged in to main, on feature availability or periodically. That's a conversation for another time.