deepy
commented
1 year ago The documentation is unfortunately pretty sparse here, there's some details under Executing npm Tasks.
But the short of it is that npmInstall has some additional logic and other tasks are setup to depend on it so it's generally the recommended task to run.
There's two circumstances I can think of that'd make this happen, the first is that npmInstall is being pulled from the cache and thus overwriting package-lock.json with unexpected results. I don't think it's this because the task is not marked as cacheable.
The second is that npm does it's own usual confusing thing: package-lock.json is automatically generated for any operations where npm modifies either the node_modules tree, or package.json. I'm betting this is the cause.
For us the npmInstall tasks seems to ignore the existing package-lock.json. Instead the latest available dependencies are installed and the package-lock.json file is updated with the new versions.
This might lead to non reproducable builds. The npm_install task (which from my understanding is only calling npm install internally) does not alter the package-lock.json and installs the correct dependencies.
If this is intended behavior it would be great if the documentation would be more specific about the differences between npmInstall vs npm_install.