← Back to context

Comment by user34283

6 hours ago

I can’t comment on the behavior of ancient npm versions, but with modern npm I would not even know how to skip using a lockfile.

As for the parent comment about not using the lockfile for the production build, that’s just incredibly incompetent.

Maybe they should hire someone who knows what they are doing. Contrary to the popular beliefs of backend engineers online, you also need some competency to do frontend properly.

In this case what’s needed is „npm ci“ instead of „npm install“ or better „pnpm install —frozen-lockfile“.

Pnpm will also do that automatically if the CI environment variable is set.

4 comments

user34283

Reply
cxr  3 hours ago

> In this case what’s needed is „npm ci“ instead of „npm install“ or better „pnpm install —frozen-lockfile“.

The grugbrain developer says, "I can use git-add to keep a version controlled copy of the library in my app's source tree with no extra steps after git-clone."

(Pop quiz: what problem were the creators of NPM's lockfile format trying to solve?)

  • yearolinuxdsktp  2 hours ago

    Lock files were begrudgingly introduced after people who aren’t playing around with move fast and break things cried foul about dependencies being updated unexpectedly. The “semantic versioning” dogma and the illusion of safety that it brings was the original motivation. At NPM’s creation time, mature dep management ecosystems did not have floating versions, they were always pinned.

    When you are talking about checking your dependencies in the source tree, you are effectively pinning exact versions, and not using floating/tilde versioning syntax.

  • user34283  2 hours ago

    That breaks if the library uses build scripts, like for setting up native binaries, or native modules linked against the specific Node version.

    If you want a vendored deps model you can look at Yarn Plug and Play which does this via .zip files.

    However, I would just stick with regular pnpm and installs.

    • cxr  2 hours ago

      > That breaks if the library uses build scripts

      Uh… no.

      > setting up native binaries, or native modules linked against the specific Node version

      So the majority of projects—those that don't use binary NodeJS modules—don't have a reason for sidestepping the primary VCS and going along with npm's shoddily designed overlay version control approach?

      > However, I would just stick with regular pnpm and installs.

      You're not answering the question. npm isn't bedrock, and pnpm certainly isn't. If you're going to introduce (mandate) the use of a tool in the workflow, you should be able to justify it by explaining your rationale for introducing it (and making everyone deal with the associated costs). You should at minimum be able to provide a lucid explanation of the tradeoffs. For good measure, you should be able to disprove the "NPM Null Hypothesis"; you should be able to state a straightforward answer to the question, "What problem is this supposed to be solving?"