Comment by 3np

2 years ago

For situations when you care, go for `npm ci` instead of `npm install`. It will ensure lockfile consistency.

https://docs.npmjs.com/cli/v9/commands/npm-ci

4 comments

3np

Reply
arp242  2 years ago

That's just "rm -r node_modules && npm install".

Aside from needlessly taking a long time, it also means we're back to "if something goes wrong we're left with an inconsistent node_modules".

  • 3np  2 years ago

    No, it's more than that. Did you read the documentation page linked in the comment you replied to?

    > But what about after the command has run?

    If you munge around in node_modules after a successful `npm ci`, that's on you. If you run scripts that do, that's on you. If you depend on packages that run such scripts, that's on you.

    > What, you mean I'm supposed to audit my dependencies myself? That's too much work!

    Yes, as part of code review we expect our devs to manually inspect every change in the lockfile for anything that matters or might start to, which includes most things. No, you can't outsource that task to an AI, regardless of how well-performing it appears.

    • arp242  2 years ago

      It says exactly that: "If a node_modules is already present, it will be automatically removed before npm ci begins its install".

      I didn't "munge around" in node_modules; I said "if something goes wrong". Like I said in my previous comment: "I found this out a few ago after I had some corrupted files due to a flaky internet connection". That's not munging around, that's computers being computers. Network errors happen. Disk errors happen. Memory errors happen. Things like that. I've also had an install ISO corrupted at some point. I always check the sums since, just in case because there was a lot of confusion involved before I found out the ISO was just downloaded wrong for some reason. Stuff doesn't often get randomly corrupted, but it does happen, and with 2GB ISO files (or 2GB node_modules) the chances do grow.

      On Go I can do "go mod verify". I think yarn has "yarn check" for this (but didn't verify). I don't know about other package managers off-hand, but if they don't have something for it, they should. You need to be able to verify the content on disk is identical to what's expected.

      I never mentioned anything about auditing dependencies or AI.

      Your entire post is a masterclass in arguing against things that were never claimed and forceful injection of your own bugbears. I just want to check if node_modules is identical to what's expected, just in case, because computers kind of suck and are unreliable.

      1 reply →