← Back to context

Comment by user34283

3 hours ago

I can’t comment on the behavior of ancient npm versions, but with modern npm I would not even know how to skip using a lockfile.

As for the parent comment about not using the lockfile for the production build, that’s just incredibly incompetent.

Maybe they should hire someone who knows what they are doing. Contrary to the popular beliefs of backend engineers online, you also need some competency to do frontend properly.

In this case what’s needed is „npm ci“ instead of „npm install“ or better „pnpm install —frozen-lockfile“.

Pnpm will also do that automatically if the CI environment variable is set.

1 comment

user34283

Reply
cxr  35 minutes ago

> In this case what’s needed is „npm ci“ instead of „npm install“ or better „pnpm install —frozen-lockfile“.

The grugbrain developer says, "I can use git-add to keep a version controlled copy of the library in my app's source tree with no extra steps after git-clone."

(Pop quiz: what problem were the creators of NPM's lockfile format trying to solve?)