Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] npm ci respects the package-lock=false config flag #4185

Closed
2 tasks done
dominykas opened this issue Dec 20, 2021 · 3 comments
Closed
2 tasks done

[BUG] npm ci respects the package-lock=false config flag #4185

dominykas opened this issue Dec 20, 2021 · 3 comments
Assignees
@ruyadorno
Labels
Bug thing that needs fixing Release 8.x work is associated with a specific npm 8 release

Comments

@dominykas
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

npm ci will install latest versions, rather than versions from the shrinkwrap, if it is configured with package-lock=false (and/or shrinkwrap=false, although I didn't explicitly test what happens when the two don't match - they're aliased, aren't they?)

Expected Behavior

I realize this is a rather edgy case, but npm@6 used to respect the lockfile when running npm ci regardless of configuration.

npm ci fails when a lock file is not present, so it feels weird that it would check for the presence of a lockfile, but then entirely ignore its contents.

This might be intentional, in which case I'm sorry, but I don't recall this being mentioned under breaking changes?

Steps To Reproduce

  1. Have a repo with a lock file
  2. Configure npm via local .npmrc, or global .npmrc, or env to have package-lock=false
  3. Run npm ci

Environment

  • npm: 8.3.0
  • Node: 16.3.1
  • OS: macOS
  • platform:
  • npm config:
; copy and paste output from `npm config ls` here
@dominykas dominykas added Bug thing that needs fixing Needs Triage needs review for next steps Release 8.x work is associated with a specific npm 8 release labels Dec 20, 2021
@lirantal
Copy link

Potentially related:

  1. [BUG] npm ci doesn't exit when dependencies in lockfile do not match the package.json #3947
  2. [BUG] npm ci succeeds when package-lock.json doesn't match package.json #2701

@dominykas dominykas mentioned this issue Jan 2, 2022
Merged
@rotem-cider
Copy link

@lirantal Check out more fun with .npmrc files here - #4101

@ruyadorno ruyadorno removed the Needs Triage needs review for next steps label Feb 3, 2022
@ruyadorno ruyadorno self-assigned this Feb 3, 2022
ruyadorno added a commit to ruyadorno/cli that referenced this issue Feb 3, 2022
@ruyadorno
fix(ci): should not use package-lock config
f9f6a63 
`npm ci` should never be affected by the `package-lock` config.

Fixes: npm#4185
@ruyadorno ruyadorno mentioned this issue Feb 3, 2022
Merged
@ruyadorno
Copy link
Contributor

good catch! thanks @dominykas!

ruyadorno added a commit to ruyadorno/cli that referenced this issue Feb 3, 2022
@ruyadorno
fix(ci): should not use package-lock config
7ddec04 
`npm ci` should never be affected by the `package-lock` config.

Fixes: npm#4185
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ruyadorno ruyadorno

Labels
Bug thing that needs fixing Release 8.x work is associated with a specific npm 8 release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ruyadorno @lirantal @dominykas @rotem-cider