To clarify a bit, the reason `yarn install --frozen-lockfile` exists is not because `yarn install` will modify the lock file randomly, it's because someone can check in code where they modified the `package.json` but didn't update the lockfile. The same would be possible with mix, where you update dependency versions in mix.exs but then don't run mix deps.get. The reason you want to run `yarn install --frozen-lockfile`, which fails if the package.json and lockfile are out of sync, is to ensure that nobody accidentally checks in changes to package.json without having also updated the lockfile. Possibly this is less of a problem in Elixir, since you wouldn't normally be able to install deps without updating the lockfile, while in a node environment you just use `npm install` instead of `yarn install` or vice versa.
`npm ci` does some other stuff too related to "best practice" around running in CI https://docs.npmjs.com/cli/ci.html On Wednesday, March 18, 2020 at 11:00:57 AM UTC, José Valim wrote: > > As I said, mix deps.get should not change the .lock file, ever. If it > does, it is a bug. > > On Wed, Mar 18, 2020 at 11:32 AM Norbert Melzer <[email protected] > <javascript:>> wrote: > >> The "rewrite lockfile" on format change is actually a problem on nixOS, >> where even in not sandboxed builds, the sourcefiles are read-only and >> therefore `mix deps.get` might crash, just because it wants to update the >> lock file. >> >> It would be indeed nice if there were an option (or environment variable) >> which would avoid writing back to the lock file. >> >> >> On Wed, Mar 18, 2020 at 9:26 AM Alessio 'Blaster' Biancalana < >> [email protected] <javascript:>> wrote: >> >>> Thanks to all for the answers! It makes a bit more sense now :-) In CI >>> or delivery envs nonetheless you don't want the lockfile to be changed at >>> all. I'll dive more and come back with something more structured. >>> >>> Alessio >>> >>> On Tue, Mar 17, 2020 at 10:20 PM Alexei Sholik <[email protected] >>> <javascript:>> wrote: >>> >>>> Sometimes the lockfile is updated when its format changes, but all the >>>> deps remain at the same versions. I've seen that a number of times when >>>> upgrading the version of Hex and/or Elixir. >>>> >>>> On Tue, Mar 17, 2020 at 5:08 PM Wojtek Mach <[email protected] >>>> <javascript:>> wrote: >>>> >>>>> Yeah, `mix deps.get` would create the lock file if there isn’t one, >>>>> but I also believe it would not update it unless you also change your >>>>> deps. >>>>> If that isn’t the case I would also argue that’s a bug (i.e. >>>>> —frozen-lockfile would be implicit. An exception is where we change the >>>>> lock file format, e.g. recent hex checksum changes.) >>>>> >>>>> On 17 Mar 2020, at 16:06, Alessio 'Blaster' Biancalana < >>>>> [email protected] <javascript:>> wrote: >>>>> >>>>> Hi José, >>>>> Wow, this is an unexpected turn of events. :-D I will track if it >>>>> happens again, sometimes my provisioning scripts (ansible roles and stuff >>>>> like that) find local modifications in my repos so it definitely gets >>>>> updated. I will come back with a more detailed analysis then, thank you >>>>> for >>>>> the kind reply! >>>>> >>>>> Alessio >>>>> >>>>> On Tue, Mar 17, 2020 at 4:01 PM José Valim <[email protected] >>>>> <javascript:>> wrote: >>>>> >>>>>> AFAIK, mix deps.get doesn't update the lockfile. If it does, it is a >>>>>> bug. :) >>>>>> >>>>>> On Tue, Mar 17, 2020 at 3:54 PM Alessio Biancalana < >>>>>> [email protected] <javascript:>> wrote: >>>>>> >>>>>>> Hello, >>>>>>> It's my first time proposing a feature for a programming language so >>>>>>> I don't know how to deal with it and I hope to do it right :-) >>>>>>> >>>>>>> Coming from other ecosystems I saw that some platforms offer a way >>>>>>> to avoid updating the lockfile while downloading dependencies for a >>>>>>> project, mainly for software delivery and continuous integration >>>>>>> purposes. >>>>>>> One example of this is the `npm ci` command, or `yarn install >>>>>>> --frozen-lockfile` command, for JavaScript projects. >>>>>>> >>>>>>> I love the idea to provide an option to operate with a project >>>>>>> avoiding generating new files or modifying existing ones, so I was >>>>>>> thinking >>>>>>> about adding something like `mix deps.get --ci` or `mix deps.get >>>>>>> --avoid-lockfile-update`. I basically didn't want to steal the "frozen >>>>>>> lockfile" name, even if it is nice :-D >>>>>>> >>>>>>> From my point of view this could be a nice improvement, looking >>>>>>> forward to hearing from you, >>>>>>> >>>>>>> Alessio >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "elixir-lang-core" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected] <javascript:>. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/d/msgid/elixir-lang-core/7538c297-6b3a-4d63-9324-4a1bd00b0cbe%40googlegroups.com >>>>>>> >>>>>>> <https://groups.google.com/d/msgid/elixir-lang-core/7538c297-6b3a-4d63-9324-4a1bd00b0cbe%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "elixir-lang-core" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected] <javascript:>. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/d/msgid/elixir-lang-core/CAGnRm4%2BFoCt%2BXQdTr-E-RWX%2BLy%3DuR%3DzTupJX8UGoFOq7rV9TQg%40mail.gmail.com >>>>>> >>>>>> <https://groups.google.com/d/msgid/elixir-lang-core/CAGnRm4%2BFoCt%2BXQdTr-E-RWX%2BLy%3DuR%3DzTupJX8UGoFOq7rV9TQg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "elixir-lang-core" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected] <javascript:>. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/elixir-lang-core/CAK6%2BgZJWU76JtqgCKF8G2%2B5BO0Uc8f0p2%3D7pkR1PerrDrRsa7g%40mail.gmail.com >>>>> >>>>> <https://groups.google.com/d/msgid/elixir-lang-core/CAK6%2BgZJWU76JtqgCKF8G2%2B5BO0Uc8f0p2%3D7pkR1PerrDrRsa7g%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "elixir-lang-core" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected] <javascript:>. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/elixir-lang-core/A06806CB-0ED7-4DD2-B432-5C71294C1997%40wojtekmach.pl >>>>> >>>>> <https://groups.google.com/d/msgid/elixir-lang-core/A06806CB-0ED7-4DD2-B432-5C71294C1997%40wojtekmach.pl?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> >>>> >>>> -- >>>> Best regards >>>> Alexei Sholik >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "elixir-lang-core" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected] <javascript:>. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/elixir-lang-core/CAAPY6eMUOV53HKsWQcyk_kh7ZrYJHJvu3PbHtckVgAW4BSVsrQ%40mail.gmail.com >>>> >>>> <https://groups.google.com/d/msgid/elixir-lang-core/CAAPY6eMUOV53HKsWQcyk_kh7ZrYJHJvu3PbHtckVgAW4BSVsrQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "elixir-lang-core" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected] <javascript:>. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/elixir-lang-core/CAK6%2BgZL-JD%3DiO0Rpat-mBff_jUyegZ68-T26XUe1caJRow-xHw%40mail.gmail.com >>> >>> <https://groups.google.com/d/msgid/elixir-lang-core/CAK6%2BgZL-JD%3DiO0Rpat-mBff_jUyegZ68-T26XUe1caJRow-xHw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "elixir-lang-core" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/elixir-lang-core/CA%2BbCVsuvFxpsOMWcK0vFRDvoaksQYn6io1G1eZ7d0u4Ou44kgw%40mail.gmail.com >> >> <https://groups.google.com/d/msgid/elixir-lang-core/CA%2BbCVsuvFxpsOMWcK0vFRDvoaksQYn6io1G1eZ7d0u4Ou44kgw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "elixir-lang-core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-lang-core/e36fd939-6a77-480a-8ca5-50d6a6a5064e%40googlegroups.com.
