We want to add an automated check to our CI server that would prevent code from getting committed that updates a dependency in package.json
but does not update the resolved dependency in package-lock.json
.
This could happen if, for example, someone updated a dependency in package.json
manually but ran npm install
instead of npm update
(npm install
favors package-lock.json
, if present). Or it could happen even if someone runs the correct npm
command when updating a dependency but then forgets to commit the resulting changes to package-lock.json
. We try to watch for these things in code review, but an automated check would definitely be better. Is there any npm
command that does this?
Here's an example to illustrate.
Before:
// package.json { "lodash": "~3.1.0" } // package-lock.json { "dependencies": { "lodash": { "version": "3.1.3" } } }
Someone updates package.json
but forgets to commit the change to package-lock.json
.
After:
// package.json { "lodash": "~3.2.0" } // package-lock.json (not changed) { "dependencies": { "lodash": { "version": "3.1.3" } } }
Now package-lock.json
no longer reflects a valid set of dependency resolutions for the package.json
file.
json intact. It is highly recommended you commit the generated package lock to source control: this will allow anyone else on your team, your deployments, your CI/continuous integration, and anyone else who runs npm install in your package source to get the exact same dependency tree that you were developing on.
The purpose of resolved in package-lock. json is to bypass the dependency resolution step (fetching metadata) when you are missing packages. integrity is to verify that you're getting the same thing.
package-lock. json is updated automatically on dependency changes. It should be committed to version control to ensure the same dependencies on install.
Running npm ls
seems to do this for you because it throws an error for discrepancies between package.json and its lock. In a node script you could do this using node's child_process.exec
or .execSync
. Async seems cleaner if you want to include helpful messages:
const cp = require("child_process"); const verify = () => cp.exec("npm ls", error => { if (error) { console.error("Dependency mismatch between package.json and lock. Run: npm install"); throw error; } console.log("Dependencies verified =)"); });
Or to keep it simple you could just run npm ls
at some point in your CI before npm install
.
...
Or to keep it simple you could just run npm ls at some point in your CI before npm install.
It doesn't cover case with initial npm install when there are not node_modules (what in case of CI server could be every time)
Use npm ci (https://docs.npmjs.com/cli/ci) available since 5.7.x version.
npm ERR! cipm can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing. npm ERR! npm ERR! npm ERR! Invalid: lock file's [email protected] does not satisfy core-js@^3.0.0-alpha.4
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With