Closed ghassanmas closed 2 years ago
I had no knowledge whatsoever of npm clean-install
and it wasn't quite clear what was the difference between package.json and package-lock.json. Thanks for the very clear explanations @ghassanmas.
(For the record, I'd like to say that I think it's a terrible design decision that npm install
does not install packages from package-lock.json)
I'll open a PR in Tutor to replace npm install
by npm ci
.
Preface:
npm install
There are major ways to install dependecy of a node project a.k.a
node_modues
, the standard typical way is to usenpm install
, using that means npm will not necessary install the exact pacake version, unlesss the version is pinned i.e, the version number is not prefixed with special charachaters, consdier the following examples: ("major.minor.path")"my-pacakage": "^1.2.1"
with npm install will install will install the latest release [^1]"my-pacakage": "~1.2.1"
with npm install will install will install the latest path release [^2]"my-pacakage": "1.2.1"
with npm install will install the exact version always.Also in case 1 and 2, above if npm find a newer release new it will update
pacakge-lock.json
accordingly, so in other words, the outcomes of runningnpm install
will be affected given how dependecy are updated, i.e. its a process that its outcomes varies with time.npm ci
However in the case of
npm ci
, it will respect the content ofpacakge-lock.json
and never tries to update it (no matter how it's defined in pacakge.json), and will takepacakge.json
as reference (not to install newer pacakges but just to check that versions in pacakge-lock.json do complie with how they are defined in pacakge.json), i.e. its a process with consistant outcome as long as package-lock.json is unchanged.So this means, another major requriement, is that
npm ci
requires pacakge-lock.json to already be existant, which couldnpm install
.The problem
Given Tutor uses
npm install
while edx/config usesnpm ci
, this lead to issues being raised in tutor but aren't yet reported, (it can definilty be the other way around) An example is openedx/edx-platform/pull/30309 ,Conculsion
@regisb suggested in last BTR meeting:
I personally think, that both tutor/edx should agree to use same pipeline,
npm ci
is very useful for production settings, whilenpm install
is right choice for development env. Add to thatnpm ci
is way faster thannpm install
.[^1]: Ref for the
~
[^2]: Ref for the^
[^3]: As seen in npm doc 6.x, 7.x and 8.x.