We’re working through some issues where some of our JS contributors are committing a package.json update for our deployed app without also updating package-lock.json. This presents problems when trying to create reproducible builds with deterministic dependencies. Most recently some of our builds have failed on Netlify but work fine locally (while silently overwriting package-lock.json and creating a dirty git tree). I want broken builds to break in CI, and automated builds should absolutely never overwrite the lockfile.
I’ve noticed that JS builds without a yarn.lock file automatically run
npm install before turning over to the build command in my netlify.toml file. The yarn builds seem to run
yarn install. Neither of these are correct. Both tools have ways to pull deps solely from their respective lockfiles and verify that the package.json is compatible with the locks. If the lockfiles don’t match package.json, the build will fail. For npm the correct invocation is
npm ci and for yarn it appears to be
yarn install --frozen-lockfile.
Is there any way to run
npm ci instead of
npm install, or otherwise have Netlify skip the install step so I can run
npm ci myself without the automatic install step screwing up my checkout?