Somewhere along the line the dependencies appear to have changed, but the file never got checked in. I don't like that this part of our build also seems to be non-deterministic. If I build metron 0.4.x today, for instance, what will I get? If the answer is "who knows?" that's unacceptable, imo. I've glanced at the package file and see carrots littering the dependencies, which as I understand it means "get me anything later than this version." I do not think we should be doing that.
On Sat, Aug 25, 2018, 9:14 AM Casey Stella <ceste...@gmail.com> wrote: > I have looked into this for other reasons and the guidance that I've seen > is to check in package-lock.json into source control. I'll leave this > stack overflow thread here: > > https://stackoverflow.com/questions/44206782/do-i-commit-the-package-lock-json-file-created-by-npm-5 > > I want to point out that I hate that this changes as part of the build. I > haven't gotten a complete handle on exactly why package-lock is changing > seemingly non-deterministically yet. > > Casey > > On Sat, Aug 25, 2018 at 11:05 AM Nick Allen <n...@nickallen.org> wrote: > > > Yes, I have noticed that also, but have not looked deeper. > > > > On Sat, Aug 25, 2018 at 10:32 AM Otto Fowler <ottobackwa...@gmail.com> > > wrote: > > > > > I just did a PR, can saw that the package.lock file for alerts-ui was > > > changed, with updated versions. > > > I did *not* change the file, nor anything in metron-interface. That > seems > > > to imply that this file is changed or updated by > > > something that happens during building or deploying full dev. > > > > > > Is this true? How does this work? Is this on purpose? > > > > > > ottO > > > > > >
