Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move generate-images dependencies to package.json #30688

Closed
wants to merge 1 commit into from
Closed

Move generate-images dependencies to package.json #30688

wants to merge 1 commit into from

Conversation

silverwind
Copy link
Member

@silverwind silverwind commented Apr 24, 2024
edited
Loading

Fixes: #30685

I consider it fixed because npm i --no-save with lockfile should be fully reproducible, faster and have less bugs than npm ci, unless someone proves me wrong.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Apr 24, 2024
@pull-request-size pull-request-size bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Apr 24, 2024
@silverwind silverwind mentioned this pull request Apr 24, 2024
Closed
@pboguslawski
Copy link
Contributor

According to the npm manual --no-save only prevents saving to dependencies (doesn't say nothing about installation of versions locked with checksums). So it's not designed for reproducible builds problably. See more opinions about using npm ci for reliable builds.

@silverwind
Copy link
Member Author

The important part of no-save is "Will also prevent writing to package-lock.json if set to false.", so it will reproduce a node_modules a bit less strict than npm ci but it's not a issue because we validate our lockfile is consistent on CI.

@silverwind
Copy link
Member Author

That said, I'm leaving it open for the future to run npm ci for example when build is in MAKECMDGOALS, which would kind of be an extra reinforcement during the build.

@silverwind
Copy link
Member Author

silverwind commented Apr 24, 2024
edited
Loading

On topic of this PR, I'm still unsure if it's really worth the trouble to expose us to build failures of the canvas module. #30596 (comment) says removing --no-package-lock solved the issue and we have that already removed on main branch since a while, so I think I'm leaning towards leaving it at that and closing this PR.

@silverwind
Copy link
Member Author

Closing, I'll take another approach with separate lockfile.

@silverwind silverwind closed this Apr 24, 2024
@silverwind silverwind deleted the fabdep branch April 24, 2024 21:16
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Jul 24, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. modifies/dependencies modifies/internal modifies/js size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Reproducible builds and strict dependency verification
3 participants
@silverwind @pboguslawski @GiteaBot