The package-lock.json file is not included in my-site folder, and builds are not fully reproducible, as the JS dependencies are always re-locked.
Possible solution
always copy package-lock.json from ../var/instance/assets/ to my-site/. Make sure that git ignores the creation/modification file dates if the file content didn't change
have an extra CLI param in invenio-cli that will:
copy the package-lock.json from my-site to ../var/instance/assets/
if the my-site/pipfile.lock is newer than my-site/package-lock.json, then overwrite or fail (some python deps might have changed)
run npm ci instead of npm install
the development workflow with linked editable (watched) modules should be tested, to ensure nothing breaks
when in NODE_ENV=production, the above should always happen. When in NODE_ENV=dev, the I can use a new param invenio-cli install --keep-deps
The
package-lock.jsonfile is not included inmy-sitefolder, and builds are not fully reproducible, as the JS dependencies are always re-locked.Possible solution
package-lock.jsonfrom../var/instance/assets/tomy-site/. Make sure thatgitignores the creation/modification file dates if the file content didn't changeinvenio-clithat will:package-lock.jsonfrommy-siteto../var/instance/assets/my-site/pipfile.lockis newer thanmy-site/package-lock.json, then overwrite or fail (some python deps might have changed)npm ciinstead ofnpm installNODE_ENV=production, the above should always happen. When inNODE_ENV=dev, the I can use a new paraminvenio-cli install --keep-deps