-
Notifications
You must be signed in to change notification settings - Fork 30.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build: move to npm ci
where possible
#21802
Conversation
Recent events (involving a maliciously published version of a popular module's dependency) have reinvigorated my interest in seeing us move to `npm ci` instead of `npm install`. This moves us to `npm ci` where possible in Makefile and vcbuild.bat.
@nodejs/build-files |
Some what of a dupe of #21538 I discovered that Thoughs? |
@MylesBorins Not sure the increase is all that significant, to be honest. If you really want to avoid it, we can add a check for the existence of the relevant |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question: does npm ci
install devDependencies? We used to have --production
which doesn't install those.
@TimothyGu Yes, it does, although you can specify
The only place that has any effect is in This PR currently does not apply to that package.json, but when we add it, we'll have to make a decision to either add |
Checklist of stuff to do after this lands:
|
This is landable, but I'd like a second review. @nodejs/npm @nodejs/build-files Even though (as Myles pointed out) $ make lint-md-clean
rm -f -r tools/remark-cli/node_modules
rm -f -r tools/remark-preset-lint-node/node_modules
rm -f tools/.*mdlintstamp
$ make lint-md-build
Markdown linter: installing remark-cli into tools/
added 160 packages in 1.704s
Markdown linter: installing remark-preset-lint-node into tools/
added 53 packages in 1.089s
$ make lint-md-build
make: Nothing to be done for `lint-md-build'.
$ |
That's because for the two tasks (which in this case are directories) they are only run if the relevant Line 1062 in b75bde3
Lines 1066 to 1067 in b75bde3
Unfortunately there's no equivalent mechanism in |
@richardlau I wonder if that means we should back out the changes in this to |
@Trott AFAIK neither the makefile nor If I'm understanding correctly the motivation for using cc @nodejs/platform-windows |
Recent events (involving a maliciously published version of a popular module's dependency) have reinvigorated my interest in seeing us move to `npm ci` instead of `npm install`. This moves us to `npm ci` where possible in Makefile and vcbuild.bat. PR-URL: nodejs#21802 Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Landed in fe67287 |
Recent events (involving a maliciously published version of a popular module's dependency) have reinvigorated my interest in seeing us move to `npm ci` instead of `npm install`. This moves us to `npm ci` where possible in Makefile and vcbuild.bat. PR-URL: #21802 Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
* remove obsolete `node_modules/js-yaml/package.json` target * remove `@touch` since `npm ci` is always destructive PR-URL: nodejs#22399 Refs: nodejs#21802 Refs: nodejs#21490 Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com> Reviewed-By: Sam Ruby <rubys@intertwingly.net> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>
* remove obsolete `node_modules/js-yaml/package.json` target * remove `@touch` since `npm ci` is always destructive PR-URL: #22399 Refs: #21802 Refs: #21490 Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com> Reviewed-By: Sam Ruby <rubys@intertwingly.net> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>
* remove obsolete `node_modules/js-yaml/package.json` target * remove `@touch` since `npm ci` is always destructive PR-URL: #22399 Refs: #21802 Refs: #21490 Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com> Reviewed-By: Sam Ruby <rubys@intertwingly.net> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>
Recent events (involving a maliciously published version of a popular
module's dependency) have reinvigorated my interest in seeing us move to
npm ci
instead ofnpm install
. This moves us tonpm ci
wherepossible in Makefile and vcbuild.bat.
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes