NPM's use of lock files has been quite controversial. I won't go into it too deep here as there are endless posts criticizing and justifying their approach, but `npm install` will install all modules listed as dependencies in package.json and update package-lock.json accordingly instead of referencing the lock file. This caused a lot of outrage in the community (I would argue rightfully so), which led to a compromise in release 5.7.1 with `npm ci`. This command installs exactly what is specified in the package-lock.json. https://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable
Metron's build currently uses `npm install`, which is why we are seeing the package-lock.json update whenever we build locally. Coincidentally, I just addressed this by switching to `npm ci` in an open PR of mine because I noticed the same happening locally and I was already updating npm commands in the pom.xml. https://github.com/apache/metron/pull/1096/files#diff-e8f55f2d9e4f18085052a36d750e9648L60 On Sat, Aug 25, 2018 at 7:13 PM Casey Stella <ceste...@gmail.com> wrote: > Yeah, that's what I thought too, but I wonder if it triggers a change if > there's a dependency that is not version locked (i.e. the most recent > version of dependency x moved from y to z). > > On Sat, Aug 25, 2018 at 11:52 AM Michael Miklavcic < > michael.miklav...@gmail.com> wrote: > > > Somewhere along the line the dependencies appear to have changed, but the > > file never got checked in. I don't like that this part of our build also > > seems to be non-deterministic. If I build metron 0.4.x today, for > instance, > > what will I get? If the answer is "who knows?" that's unacceptable, imo. > > I've glanced at the package file and see carrots littering the > > dependencies, which as I understand it means "get me anything later than > > this version." I do not think we should be doing that. > > > > > > On Sat, Aug 25, 2018, 9:14 AM Casey Stella <ceste...@gmail.com> wrote: > > > > > I have looked into this for other reasons and the guidance that I've > seen > > > is to check in package-lock.json into source control. I'll leave this > > > stack overflow thread here: > > > > > > > > > https://stackoverflow.com/questions/44206782/do-i-commit-the-package-lock-json-file-created-by-npm-5 > > > > > > I want to point out that I hate that this changes as part of the build. > > I > > > haven't gotten a complete handle on exactly why package-lock is > changing > > > seemingly non-deterministically yet. > > > > > > Casey > > > > > > On Sat, Aug 25, 2018 at 11:05 AM Nick Allen <n...@nickallen.org> > wrote: > > > > > > > Yes, I have noticed that also, but have not looked deeper. > > > > > > > > On Sat, Aug 25, 2018 at 10:32 AM Otto Fowler < > ottobackwa...@gmail.com> > > > > wrote: > > > > > > > > > I just did a PR, can saw that the package.lock file for alerts-ui > was > > > > > changed, with updated versions. > > > > > I did *not* change the file, nor anything in metron-interface. That > > > seems > > > > > to imply that this file is changed or updated by > > > > > something that happens during building or deploying full dev. > > > > > > > > > > Is this true? How does this work? Is this on purpose? > > > > > > > > > > ottO > > > > > > > > > > > > > > >
