-
Notifications
You must be signed in to change notification settings - Fork 780
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stuck build, many plugins affected. Any reason to gitignore package-lock.json? #13
Comments
Perhaps we should pin the versions? I've specifically excluded package-lock.json because it's very finnicky and tends to get updated all the time. Internally, we pin all of our dependencies with package.json, but not the entire sub-dependencies tree. |
From my research this seems to be the main culprit: rollup/rollup#4213 |
Hi @lishid
This does not sound like a serious reason to ignore it. It is designed that way and the lock-file usually changes together with Hard-pinning dependencies manually in package.json is an option, but looks more like a workaround. I see 2 disadvantages:
My vote goes for committing lock-file to git @joethei, thanks for sharing. I think you are right, this is the correct issue |
Should have been fixed by 3afc9d7 |
The
package-lock.json
is not included to git repo by intention.What is the reason? If you want stable build, you usually want to check in such lock-files to VCS.
Today I faced the problem with my Imgur plugin based on this template. My build has stuck. That's exactly because
package-lock.json
is not committed. Thepackage.json
is not enough, because it does not pin exact version of dependencies. With the^
-notation (example:"typescript": "^4.2.4"
) it allows actual minor and patch versions to be higher onnpm install
if newer version of the dependency is available on npm registry (see npm docs).The build of this plugin's template is currently broken too. It will stuck forever in the very end after:
Other plugins generated from this template and not having lock-file in git are affected too, i.e.:
I do not know the root cause of the problem. But from my experiments, the culprit of the stuck build with this Rollup setup is TypeScript 4.4.1+ which gets installed now on
npm install
withoutpackage-lock.json
.I think that the lock-file should not be ignored and must be committed to git.
Also another common mistake I see people make is: using
npm install
instead ofnpm ci
on their automated builds.npm install
leaves a possibility for lock-file to be updated on clean install if the situation on npm registry has changed. I think the right choice for CI should be thenpm ci
command with lock-file tracked by vcs to get stable reproducible builds.The text was updated successfully, but these errors were encountered: