You sir, are a gentleman and a scholar! Thanks for the background info, the current state of affairs, the controversy, and finally (most of all) the fix.
On Sat, Aug 25, 2018, 12:52 PM Shane Ardell <shane.m.ard...@gmail.com> wrote: > NPM's use of lock files has been quite controversial. I won't go into it > too deep here as there are endless posts criticizing and justifying their > approach, but `npm install` will install all modules listed as dependencies > in package.json and update package-lock.json accordingly instead of > referencing the lock file. This caused a lot of outrage in the community (I > would argue rightfully so), which led to a compromise in release 5.7.1 with > `npm ci`. This command installs exactly what is specified in the > package-lock.json. > > https://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable > > Metron's build currently uses `npm install`, which is why we are seeing the > package-lock.json update whenever we build locally. Coincidentally, I just > addressed this by switching to `npm ci` in an open PR of mine because I > noticed the same happening locally and I was already updating npm commands > in the pom.xml. > > https://github.com/apache/metron/pull/1096/files#diff-e8f55f2d9e4f18085052a36d750e9648L60 > > > > On Sat, Aug 25, 2018 at 7:13 PM Casey Stella <ceste...@gmail.com> wrote: > > > Yeah, that's what I thought too, but I wonder if it triggers a change if > > there's a dependency that is not version locked (i.e. the most recent > > version of dependency x moved from y to z). > > > > On Sat, Aug 25, 2018 at 11:52 AM Michael Miklavcic < > > michael.miklav...@gmail.com> wrote: > > > > > Somewhere along the line the dependencies appear to have changed, but > the > > > file never got checked in. I don't like that this part of our build > also > > > seems to be non-deterministic. If I build metron 0.4.x today, for > > instance, > > > what will I get? If the answer is "who knows?" that's unacceptable, > imo. > > > I've glanced at the package file and see carrots littering the > > > dependencies, which as I understand it means "get me anything later > than > > > this version." I do not think we should be doing that. > > > > > > > > > On Sat, Aug 25, 2018, 9:14 AM Casey Stella <ceste...@gmail.com> wrote: > > > > > > > I have looked into this for other reasons and the guidance that I've > > seen > > > > is to check in package-lock.json into source control. I'll leave > this > > > > stack overflow thread here: > > > > > > > > > > > > > > https://stackoverflow.com/questions/44206782/do-i-commit-the-package-lock-json-file-created-by-npm-5 > > > > > > > > I want to point out that I hate that this changes as part of the > build. > > > I > > > > haven't gotten a complete handle on exactly why package-lock is > > changing > > > > seemingly non-deterministically yet. > > > > > > > > Casey > > > > > > > > On Sat, Aug 25, 2018 at 11:05 AM Nick Allen <n...@nickallen.org> > > wrote: > > > > > > > > > Yes, I have noticed that also, but have not looked deeper. > > > > > > > > > > On Sat, Aug 25, 2018 at 10:32 AM Otto Fowler < > > ottobackwa...@gmail.com> > > > > > wrote: > > > > > > > > > > > I just did a PR, can saw that the package.lock file for alerts-ui > > was > > > > > > changed, with updated versions. > > > > > > I did *not* change the file, nor anything in metron-interface. > That > > > > seems > > > > > > to imply that this file is changed or updated by > > > > > > something that happens during building or deploying full dev. > > > > > > > > > > > > Is this true? How does this work? Is this on purpose? > > > > > > > > > > > > ottO > > > > > > > > > > > > > > > > > > > > >
