8000 [Bug]: Package Install Command Should Ensure Lock Files are Used Only · Issue #21 · inpsyde/composer-asset-compiler · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

[Bug]: Package Install Command Should Ensure Lock Files are Used Only #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 task done
timnolte opened this issue Nov 13, 2023 · 1 comment
Open
1 task done

[Bug]: Package Install Command Should Ensure Lock Files are Used Only #21

timnolte opened this issue Nov 13, 2023 · 1 comment
Labels
bug Something isn't working

Comments

@timnolte
Copy link

Description of the bug

The documentation specifies that either npm install or yarn install are call however, it is widely known that these calls can result in newer versions of packages being installed that meet the package.json version pattern requirements. It it generally best practice to use npm ci & yarn install --frozen-lockfile to ensure that only the versions specified in the lock files are what is actually installed.

If you need reproducible dependencies, which is usually the case with the continuous integration systems, you should pass --frozen-lockfile flag.

Reproduction instructions

Setup a repository with this package with a minimal configuration and a lock file. Observe that patch releases may automatically be installed that are not what's listed in the lock file.

Expected behavior

When packages are installed they should only be the versions in the lock file.

Environment info

No response

Relevant log output

No response

Additional context

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct
@timnolte timnolte added the bug Something isn't working label Nov 13, 2023
@gmazzap
Copy link
Contributor
gmazzap commented Nov 14, 2023

This is configurable, but probably make sense to have this as default. Will get the opinion of some more frontend-savvy person than me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gmazzap @timnolte
0