From 1d187ff837df9827fec62e62148e819c896fee98 Mon Sep 17 00:00:00 2001
From: Lukas Holzer <lukas.holzer@dynatrace.com>
Date: Wed, 2 Dec 2020 23:23:42 +0100
Subject: [PATCH] feat(builtin): use npm ci as default behaviour for installing
 node_modules

To be more hermetic with the install of the dependencies use npm ci to install the exact version from the package-lock.json file.

To update a dependency use the vendored npm binary with `bazel run @nodejs//:npm install <dep-name>`.

Fixes #159
---
 WORKSPACE                                |  1 +
 e2e/packages/WORKSPACE                   |  2 ++
 e2e/symlinked_node_modules_npm/WORKSPACE |  1 +
 examples/kotlin/WORKSPACE                |  1 +
 examples/parcel/WORKSPACE                |  1 +
 examples/vendored_node/WORKSPACE         |  1 +
 examples/vue/WORKSPACE                   |  1 +
 internal/npm_install/npm_install.bzl     | 15 ++++++++++++---
 8 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/WORKSPACE b/WORKSPACE
index d5a91f6441..cd390deb0b 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -221,6 +221,7 @@ npm_install(
         ".json",
         ".proto",
     ],
+    npm_command = "install",
     package_json = "//:tools/fine_grained_deps_npm/package.json",
     package_lock_json = "//:tools/fine_grained_deps_npm/package-lock.json",
     symlink_node_modules = False,
diff --git a/e2e/packages/WORKSPACE b/e2e/packages/WORKSPACE
index 019a54ea11..785b7ff52e 100644
--- a/e2e/packages/WORKSPACE
+++ b/e2e/packages/WORKSPACE
@@ -19,6 +19,7 @@ npm_install(
     name = "e2e_packages_npm_install",
     args = ["--production"],
     data = ["//:postinstall.js"],
+    npm_command = "install",
     package_json = "//:npm1/package.json",
     package_lock_json = "//:npm1/package-lock.json",
     symlink_node_modules = False,
@@ -28,6 +29,7 @@ npm_install(
     name = "e2e_packages_npm_install_duplicate_for_determinism_testing",
     args = ["--production"],
     data = ["//:postinstall.js"],
+    npm_command = "install",
     package_json = "//:npm2/package.json",
     package_lock_json = "//:npm2/package-lock.json",
     symlink_node_modules = False,
diff --git a/e2e/symlinked_node_modules_npm/WORKSPACE b/e2e/symlinked_node_modules_npm/WORKSPACE
index f7f3439b77..a6f0dbb158 100644
--- a/e2e/symlinked_node_modules_npm/WORKSPACE
+++ b/e2e/symlinked_node_modules_npm/WORKSPACE
@@ -28,6 +28,7 @@ load("@build_bazel_rules_nodejs//:index.bzl", "npm_install")
 
 npm_install(
     name = "npm",
+    npm_command = "install",
     package_json = "//:package.json",
     package_lock_json = "//:package-lock.json",
     quiet = False,
diff --git a/examples/kotlin/WORKSPACE b/examples/kotlin/WORKSPACE
index 3afb344355..bd56dd498c 100644
--- a/examples/kotlin/WORKSPACE
+++ b/examples/kotlin/WORKSPACE
@@ -17,6 +17,7 @@ load("@build_bazel_rules_nodejs//:index.bzl", "npm_install")
 npm_install(
     # Name this npm so that Bazel Label references look like @npm//package
     name = "npm",
+    npm_command = "install",
     package_json = "//:package.json",
     package_lock_json = "//:package-lock.json",
 )
diff --git a/examples/parcel/WORKSPACE b/examples/parcel/WORKSPACE
index fa1990e88d..318ca679e3 100644
--- a/examples/parcel/WORKSPACE
+++ b/examples/parcel/WORKSPACE
@@ -29,6 +29,7 @@ load("@build_bazel_rules_nodejs//:index.bzl", "npm_install")
 
 npm_install(
     name = "npm",
+    npm_command = "install",
     package_json = "//:package.json",
     package_lock_json = "//:package-lock.json",
 )
diff --git a/examples/vendored_node/WORKSPACE b/examples/vendored_node/WORKSPACE
index 37c6ec11dd..3e50461e58 100644
--- a/examples/vendored_node/WORKSPACE
+++ b/examples/vendored_node/WORKSPACE
@@ -46,6 +46,7 @@ npm_install(
     data = [
         "@vendored_node_10_12_0//:node-v10.12.0-linux-x64/bin/node",
     ],
+    npm_command = "install",
     package_json = "//:package.json",
     package_lock_json = "//:package-lock.json",
 )
diff --git a/examples/vue/WORKSPACE b/examples/vue/WORKSPACE
index 9b79bd9495..849565b20f 100644
--- a/examples/vue/WORKSPACE
+++ b/examples/vue/WORKSPACE
@@ -17,6 +17,7 @@ node_repositories(package_json = ["//:package.json"])
 
 npm_install(
     name = "npm",
+    npm_command = "install",
     package_json = "//:package.json",
     package_lock_json = "//:package-lock.json",
 )
diff --git a/internal/npm_install/npm_install.bzl b/internal/npm_install/npm_install.bzl
index c74b9533e7..0bdeec6c1a 100644
--- a/internal/npm_install/npm_install.bzl
+++ b/internal/npm_install/npm_install.bzl
@@ -157,8 +157,8 @@ def _add_data_dependencies(repository_ctx):
     for f in repository_ctx.attr.data:
         to = []
         if f.package:
-            to += [f.package]
-        to += [f.name]
+            to.append(f.package)
+        to.append(f.name)
 
         # Make copies of the data files instead of symlinking
         # as yarn under linux will have trouble using symlinked
@@ -206,7 +206,11 @@ def _npm_install_impl(repository_ctx):
     is_windows_host = is_windows_os(repository_ctx)
     node = repository_ctx.path(get_node_label(repository_ctx))
     npm = get_npm_label(repository_ctx)
-    npm_args = ["install"] + repository_ctx.attr.args
+
+    # Set the base command (install or ci)
+    npm_args = [repository_ctx.attr.npm_command]
+
+    npm_args.extend(repository_ctx.attr.args)
 
     # If symlink_node_modules is true then run the package manager
     # in the package.json folder; otherwise, run it in the root of
@@ -303,6 +307,11 @@ npm_install = repository_rule(
 See npm CLI docs https://docs.npmjs.com/cli/install.html for complete list of supported arguments.""",
             default = [],
         ),
+        "npm_command": attr.string(
+            default = "ci",
+            doc = "The npm command to run, to install dependencies.",
+            values = ["ci", "install"],
+        ),
         "package_lock_json": attr.label(
             mandatory = True,
             allow_single_file = True,