moonrepo / moon

A build system and monorepo management tool for the web ecosystem, written in Rust.
https://moonrepo.dev/moon
MIT License
2.9k stars 157 forks source link

[potential bug] Moon uses `npm install` instead of `npm ci` #1704

Open AnomalRoil opened 22 hours ago

AnomalRoil commented 22 hours ago

Describe the bug

When running any tasks in a npm project, it seems moon is going to first run npm install, but npm install is not freezing the package-lock.json files and there are no options to use npm clean-install instead. This means sometimes moon will randomly decide to change my package-lock.json, make my builds far less deterministic than I'd like.

Is this intended or not?

Expected behavior

Running moon run :build should build things, not update my package-lock.json.

Environment

npx envinfo

  System:
    OS: Linux 6.9 Pop!_OS 22.04 LTS
    CPU: (24) x64 AMD Ryzen 9 5900X 12-Core Processor
    Memory: 5.44 GB / 31.25 GB
    Container: Yes
    Shell: 5.8.1 - /bin/zsh
  Binaries:
    Node: 22.9.0 - ~/.nvm/versions/node/v22.9.0/bin/node
    Yarn: 1.22.22 - /usr/bin/yarn
    npm: 10.8.3 - ~/.nvm/versions/node/v22.9.0/bin/npm
  Managers:
    Apt: 2.4.13 - /usr/bin/apt
    Cargo: 1.79.0 - ~/.cargo/bin/cargo
    Gradle: 4.4.1 - /usr/bin/gradle
    pip3: 22.0.2 - /usr/bin/pip3
    RubyGems: 3.3.5 - /usr/bin/gem
  Utilities:
    CMake: 3.22.1 - /usr/bin/cmake
    Make: 4.3 - /usr/bin/make
    GCC: 11.4.0 - /usr/bin/gcc
    Git: 2.34.1 - /usr/bin/git
    Clang: 14.0.0 - /usr/bin/clang
    Ninja: 1.10.1 - /usr/bin/ninja
    FFmpeg: 4.4.2 - /usr/bin/ffmpeg
    Curl: 7.81.0 - /usr/bin/curl
    OpenSSL: 3.0.2 - /usr/bin/openssl
  Virtualization:
    Docker: 20.10.15 - /usr/bin/docker
    VirtualBox: 7.0.18 - /usr/bin/vboxmanage
  IDEs:
    Emacs: 27.1 - /usr/bin/emacs
    Nano: 6.2 - /usr/bin/nano
    Vim: 9.1 - /usr/local/bin/vim
  Languages:
    Bash: 5.1.16 - /usr/bin/bash
    Go: 1.23.2 - /home/anomalroil/.local/bin/go
    Java: 11.0.24 - /usr/bin/javac
    Perl: 5.34.0 - /usr/bin/perl
    Protoc: 25.3 - /usr/local/bin/protoc
    Python3: 3.10.12 - /usr/bin/python3
    R: 4.1.2 - /usr/bin/R
    Ruby: 3.0.2 - /usr/bin/ruby
    Rust: 1.79.0 - /home/anomalroil/.cargo/bin/rustc
  Databases:
    SQLite: 3.37.2 - /usr/bin/sqlite3
  Monorepos:
    Yarn Workspaces: 1.22.22

Additional context

If this is intended, is there any workaround (other than switching to yarn and using --frozen-lockfile if possible) to avoid that behaviour?

milesj commented 16 hours ago

@AnomalRoil We use npm ci when in CI, but npm install locally: https://github.com/moonrepo/moon/blob/master/legacy/node/tool/src/npm_tool.rs#L201

We do this to handle situations where a package.json dependency was changed some where, but the install hasn't occurred yet, resulting in an invalid node_modules state.