search

openedx / wg-frontend

Open edX Frontend Working Group
4 stars 0 forks source link

Pinning node/npm pacakges and the usage of npm ci vs npm install #100

Closed ghassanmas closed 2 years ago

ghassanmas commented 2 years ago

Preface:

npm install

There are major ways to install dependecy of a node project a.k.a node_modues, the standard typical way is to use npm install, using that means npm will not necessary install the exact pacake version, unlesss the version is pinned i.e, the version number is not prefixed with special charachaters, consdier the following examples: ("major.minor.path")

  1. "my-pacakage": "^1.2.1" with npm install will install will install the latest release [^1]
  2. "my-pacakage": "~1.2.1" with npm install will install will install the latest path release [^2]
  3. "my-pacakage": "1.2.1" with npm install will install the exact version always.

Also in case 1 and 2, above if npm find a newer release new it will update pacakge-lock.json accordingly, so in other words, the outcomes of running npm install will be affected given how dependecy are updated, i.e. its a process that its outcomes varies with time.

npm ci

However in the case of npm ci, it will respect the content of pacakge-lock.json and never tries to update it (no matter how it's defined in pacakge.json), and will take pacakge.json as reference (not to install newer pacakges but just to check that versions in pacakge-lock.json do complie with how they are defined in pacakge.json), i.e. its a process with consistant outcome as long as package-lock.json is unchanged.

It will never write to package.json or any of the package-locks: installs are essentially frozen.[^3]

So this means, another major requriement, is that npm ci requires pacakge-lock.json to already be existant, which could npm install.

The problem

Given Tutor uses npm install while edx/config uses npm ci, this lead to issues being raised in tutor but aren't yet reported, (it can definilty be the other way around) An example is openedx/edx-platform/pull/30309 ,

Conculsion

@regisb suggested in last BTR meeting:

is to explicity pin all pacakge version in pacakge.json

I personally think, that both tutor/edx should agree to use same pipeline, npm ci is very useful for production settings, while npm install is right choice for development env. Add to that npm ci is way faster than npm install.

[^1]: Ref for the ~ [^2]: Ref for the ^ [^3]: As seen in npm doc 6.x, 7.x and 8.x.

regisb commented 2 years ago

I had no knowledge whatsoever of npm clean-install and it wasn't quite clear what was the difference between package.json and package-lock.json. Thanks for the very clear explanations @ghassanmas.

(For the record, I'd like to say that I think it's a terrible design decision that npm install does not install packages from package-lock.json)

I'll open a PR in Tutor to replace npm install by npm ci.