The package-lock.json file is not included in my-site folder, and builds are not fully reproducible, as the JS dependencies are always re-locked.
Possible solution
always copy package-lock.json from ../var/instance/assets/ to my-site/. Make sure that git ignores the creation/modification file dates if the file content didn't change
have an extra CLI param in invenio-cli that will:
copy the package-lock.json from my-site to ../var/instance/assets/
if the my-site/pipfile.lock is newer than my-site/package-lock.json, then overwrite or fail (some python deps might have changed)
run npm ci instead of npm install
the development workflow with linked editable (watched) modules should be tested, to ensure nothing breaks
when in NODE_ENV=production, the above should always happen. When in NODE_ENV=dev, the I can use a new param invenio-cli install --keep-deps
The
package-lock.json
file is not included inmy-site
folder, and builds are not fully reproducible, as the JS dependencies are always re-locked.Possible solution
package-lock.json
from../var/instance/assets/
tomy-site/
. Make sure thatgit
ignores the creation/modification file dates if the file content didn't changeinvenio-cli
that will:package-lock.json
frommy-site
to../var/instance/assets/
my-site/pipfile.lock
is newer thanmy-site/package-lock.json
, then overwrite or fail (some python deps might have changed)npm ci
instead ofnpm install
NODE_ENV=production
, the above should always happen. When inNODE_ENV=dev
, the I can use a new paraminvenio-cli install --keep-deps