diff options
Diffstat (limited to '')
| -rw-r--r-- | _posts/2018-08-01-verifying-npm-ci-reproducibility.md | 21 |
1 files changed, 11 insertions, 10 deletions
diff --git a/_posts/2018-08-01-verifying-npm-ci-reproducibility.md b/_posts/2018-08-01-verifying-npm-ci-reproducibility.md index f1fd1dd..ff983e5 100644 --- a/_posts/2018-08-01-verifying-npm-ci-reproducibility.md +++ b/_posts/2018-08-01-verifying-npm-ci-reproducibility.md @@ -7,11 +7,11 @@ ref: veryfing-npm-ci-reproducibility updated_at: 2019-05-22 --- When [npm@5](https://blog.npmjs.org/post/161081169345/v500) came bringing -[package-locks](https://docs.npmjs.com/files/package-locks) with it, I -was confused about the benefits it provided, since running `npm install` -more than once could resolve all the dependencies again and yield yet -another fresh `package-lock.json` file. The message saying "you should -add this file to version control" left me hesitant on what to do[^1]. +[package-locks](https://docs.npmjs.com/files/package-locks) with it, I was +confused about the benefits it provided, since running `npm install` more than +once could resolve all the dependencies again and yield yet another fresh +`package-lock.json` file. The message saying "you should add this file to +version control" left me hesitant on what to do[^package-lock-message]. However the [addition of `npm ci`](https://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable) filled this gap: it's a stricter variation of `npm install` which @@ -105,7 +105,7 @@ You can try copying and pasting it to verify the hash signatures. *I've done all of the following using Node.js v8.11.3 and npm@6.1.0.* In this test case I'll take the main repo of -[Lerna](https://lernajs.io/)[^2]: +[Lerna](https://lernajs.io/)[^lerna-package-lock]: ```bash cd /tmp/ @@ -138,9 +138,10 @@ signature of a directory. If you know any I'd [like to know](mailto:eu@euandre.o 2019/05/22: Fix spelling. -[^1]: The [documentation](https://docs.npmjs.com/cli/install#description) - claims `npm install` is driven by the existing `package-lock.json`, - but that's actually [a little bit tricky](https://github.com/npm/npm/issues/17979#issuecomment-332701215). +[^package-lock-message]: The + [documentation](https://docs.npmjs.com/cli/install#description) claims `npm + install` is driven by the existing `package-lock.json`, but that's actually + [a little bit tricky](https://github.com/npm/npm/issues/17979#issuecomment-332701215). -[^2]: Finding a big known repo that actually committed the +[^lerna-package-lock]: Finding a big known repo that actually committed the `package-lock.json` file was harder than I expected. |