Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there a way to confirm a package-lock.json actually resolves all dependencies in a package.json?

Tags:

We want to add an automated check to our CI server that would prevent code from getting committed that updates a dependency in package.json but does not update the resolved dependency in package-lock.json.

This could happen if, for example, someone updated a dependency in package.json manually but ran npm install instead of npm update (npm install favors package-lock.json, if present). Or it could happen even if someone runs the correct npm command when updating a dependency but then forgets to commit the resulting changes to package-lock.json. We try to watch for these things in code review, but an automated check would definitely be better. Is there any npm command that does this?

Here's an example to illustrate.

Before:

// package.json {     "lodash": "~3.1.0" }  // package-lock.json {     "dependencies": {        "lodash": {            "version": "3.1.3"        }     } } 

Someone updates package.json but forgets to commit the change to package-lock.json.

After:

// package.json {     "lodash": "~3.2.0" }  // package-lock.json (not changed) {     "dependencies": {        "lodash": {            "version": "3.1.3"        }     } } 

Now package-lock.json no longer reflects a valid set of dependency resolutions for the package.json file.

like image 987
Andy Fiedler Avatar asked Jul 24 '17 18:07

Andy Fiedler


People also ask

Should I track package lock json?

json intact. It is highly recommended you commit the generated package lock to source control: this will allow anyone else on your team, your deployments, your CI/continuous integration, and anyone else who runs npm install in your package source to get the exact same dependency tree that you were developing on.

What is resolved in package lock json?

The purpose of resolved in package-lock. json is to bypass the dependency resolution step (fetching metadata) when you are missing packages. integrity is to verify that you're getting the same thing.

Does package lock json update automatically?

package-lock. json is updated automatically on dependency changes. It should be committed to version control to ensure the same dependencies on install.


2 Answers

Running npm ls seems to do this for you because it throws an error for discrepancies between package.json and its lock. In a node script you could do this using node's child_process.exec or .execSync. Async seems cleaner if you want to include helpful messages:

const cp = require("child_process"); const verify = () => cp.exec("npm ls", error => {   if (error) {     console.error("Dependency mismatch between package.json and lock. Run: npm install");     throw error;   }   console.log("Dependencies verified =)"); }); 

Or to keep it simple you could just run npm ls at some point in your CI before npm install.

like image 93
ryanve Avatar answered Oct 13 '22 19:10

ryanve


...

Or to keep it simple you could just run npm ls at some point in your CI before npm install.

It doesn't cover case with initial npm install when there are not node_modules (what in case of CI server could be every time)

Use npm ci (https://docs.npmjs.com/cli/ci) available since 5.7.x version.

 npm ERR! cipm can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing. npm ERR!  npm ERR!  npm ERR! Invalid: lock file's [email protected] does not satisfy core-js@^3.0.0-alpha.4 
like image 39
Eugene Goroschenya Avatar answered Oct 13 '22 21:10

Eugene Goroschenya