feat(builtin): use npm ci as default behaviour for installing node_mo…

…dules To be more hermetic with the install of the dependencies use npm ci to install the exact version from the package-lock.json file. To update a dependency use the vendored npm binary with `bazel run @nodejs//:npm install <dep-name>`. Fixes #159
bazel-contrib · Dec 16, 2020 · 887c496 · 887c496
1 parent 795f578
commit 887c496
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 1 deletion.
diff --git a/WORKSPACE b/WORKSPACE
@@ -214,6 +214,7 @@ npm_install(
         ".json",
         ".proto",
     ],
+    npm_command = "install",
     package_json = "//:tools/fine_grained_deps_npm/package.json",
     package_lock_json = "//:tools/fine_grained_deps_npm/package-lock.json",
     symlink_node_modules = False,

diff --git a/e2e/packages/WORKSPACE b/e2e/packages/WORKSPACE
@@ -19,6 +19,7 @@ npm_install(
     name = "e2e_packages_npm_install",
     args = ["--production"],
     data = ["//:postinstall.js"],
+    npm_command = "install",
     package_json = "//:npm1/package.json",
     package_lock_json = "//:npm1/package-lock.json",
     symlink_node_modules = False,
@@ -28,6 +29,7 @@ npm_install(
     name = "e2e_packages_npm_install_duplicate_for_determinism_testing",
     args = ["--production"],
     data = ["//:postinstall.js"],
+    npm_command = "install",
     package_json = "//:npm2/package.json",
     package_lock_json = "//:npm2/package-lock.json",
     symlink_node_modules = False,

diff --git a/e2e/symlinked_node_modules_npm/WORKSPACE b/e2e/symlinked_node_modules_npm/WORKSPACE
@@ -28,6 +28,7 @@ load("@build_bazel_rules_nodejs//:index.bzl", "npm_install")
 
 npm_install(
     name = "npm",
+    npm_command = "install",
     package_json = "//:package.json",
     package_lock_json = "//:package-lock.json",
     quiet = False,

diff --git a/internal/bazel_integration_test/test_runner.js b/internal/bazel_integration_test/test_runner.js
@@ -226,6 +226,11 @@ if (config.bazelrcAppend) {
     workspaceContents =
         workspaceContents.replace(/(yarn_lock[\s\S]+?,)/gm, 'frozen_lockfile = False,\n    $1')
 
+    // We have to use npm install in favour of npm ci as the package-lock.json would not match the
+    // replaced version
+    workspaceContents = workspaceContents.replace(
+        /(package_lock_json[\s\S]+?,)/gm, 'npm_command = "install",\n    $1')
+
     if (!workspaceContents.includes(archiveFile)) {
       console.error(
           `bazel_integration_test: WORKSPACE replacement for repository ${repositoryKey} failed!`)

diff --git a/internal/npm_install/npm_install.bzl b/internal/npm_install/npm_install.bzl
@@ -206,7 +206,11 @@ def _npm_install_impl(repository_ctx):
     is_windows_host = is_windows_os(repository_ctx)
     node = repository_ctx.path(get_node_label(repository_ctx))
     npm = get_npm_label(repository_ctx)
-    npm_args = ["install"] + repository_ctx.attr.args
+
+    # Set the base command (install or ci)
+    npm_args = [repository_ctx.attr.npm_command]
+
+    npm_args.extend(repository_ctx.attr.args)
 
     # If symlink_node_modules is true then run the package manager
     # in the package.json folder; otherwise, run it in the root of
@@ -303,6 +307,11 @@ npm_install = repository_rule(
 See npm CLI docs https://docs.npmjs.com/cli/install.html for complete list of supported arguments.""",
             default = [],
         ),
+        "npm_command": attr.string(
+            default = "ci",
+            doc = "The npm command to run, to install dependencies.",
+            values = ["ci", "install"],
+        ),
         "package_lock_json": attr.label(
             mandatory = True,
             allow_single_file = True,