Force NPM to Install All Dependencies from Custom, Cloned Repositories












0















This is more of an architectural approach question than a specific programming issue.



The situation:



Due to issues like the left pad incident and dependencies that are releasing breaking changes without changing their version numbers, some build failures can occur without changing any project code or npm configuration information such as package.json and package-lock.json. My build system will run npm install on the repository and pull down the dependencies before each build. Even with a package-lock.json file committed and in play, the build can randomly fail (and recently has failed) due to changes in dependencies that I do not control.



It has been decided, corporately, that we shall no longer allow this to happen.



Considering the options, the easiest solution seems to be simply committing the node_modules folder with a known good configuration. However, I fear this may cause issues due to the different OS usage between developer clients and build systems, Mac and Linux, respectively. Apparently some dependencies will make environment-specific compilations upon install, and committing them will result in the wrong binaries being present on the build system.



Alternatively, I've been looking for a way to mass clone not just our dependencies, but our dependencies' dependencies in some automated fashion to our local repositories. In theory, I could get my dependencies from my clones of the repository on both the dev clients and build servers, assured that the dependencies cannot change in any way, no matter how deep, unless I decide to change them manually. However, though I can certainly specify dependencies relative to a git repo URL in package.json, the package-lock.json file is the only file that actually contains all of the dependencies. And it does not reference git repo URLs, but some "resolved" URL that references a .tgz file provided by npmjs.org.



Is there a way to force my NPM commands or the package-lock.json file to use custom repos for ALL dependencies, and point them to our clones?



Am I missing some other method of achieving this goal? How have you solved this problem?



Most articles and StackOverflow questions on the subject seem to either endorse the idea that NPM, combined with a checked in package-lock.json will always solve this problem, which is incorrect in our case. Or they recommend committing the node_modules folder (to which there is fanatical opposition from others).






npm clone dependency-management







share|improve this question





























    0















    This is more of an architectural approach question than a specific programming issue.



    The situation:



    Due to issues like the left pad incident and dependencies that are releasing breaking changes without changing their version numbers, some build failures can occur without changing any project code or npm configuration information such as package.json and package-lock.json. My build system will run npm install on the repository and pull down the dependencies before each build. Even with a package-lock.json file committed and in play, the build can randomly fail (and recently has failed) due to changes in dependencies that I do not control.



    It has been decided, corporately, that we shall no longer allow this to happen.



    Considering the options, the easiest solution seems to be simply committing the node_modules folder with a known good configuration. However, I fear this may cause issues due to the different OS usage between developer clients and build systems, Mac and Linux, respectively. Apparently some dependencies will make environment-specific compilations upon install, and committing them will result in the wrong binaries being present on the build system.



    Alternatively, I've been looking for a way to mass clone not just our dependencies, but our dependencies' dependencies in some automated fashion to our local repositories. In theory, I could get my dependencies from my clones of the repository on both the dev clients and build servers, assured that the dependencies cannot change in any way, no matter how deep, unless I decide to change them manually. However, though I can certainly specify dependencies relative to a git repo URL in package.json, the package-lock.json file is the only file that actually contains all of the dependencies. And it does not reference git repo URLs, but some "resolved" URL that references a .tgz file provided by npmjs.org.



    Is there a way to force my NPM commands or the package-lock.json file to use custom repos for ALL dependencies, and point them to our clones?



    Am I missing some other method of achieving this goal? How have you solved this problem?



    Most articles and StackOverflow questions on the subject seem to either endorse the idea that NPM, combined with a checked in package-lock.json will always solve this problem, which is incorrect in our case. Or they recommend committing the node_modules folder (to which there is fanatical opposition from others).






    npm clone dependency-management







    share|improve this question



























      0












      0








      0








      This is more of an architectural approach question than a specific programming issue.



      The situation:



      Due to issues like the left pad incident and dependencies that are releasing breaking changes without changing their version numbers, some build failures can occur without changing any project code or npm configuration information such as package.json and package-lock.json. My build system will run npm install on the repository and pull down the dependencies before each build. Even with a package-lock.json file committed and in play, the build can randomly fail (and recently has failed) due to changes in dependencies that I do not control.



      It has been decided, corporately, that we shall no longer allow this to happen.



      Considering the options, the easiest solution seems to be simply committing the node_modules folder with a known good configuration. However, I fear this may cause issues due to the different OS usage between developer clients and build systems, Mac and Linux, respectively. Apparently some dependencies will make environment-specific compilations upon install, and committing them will result in the wrong binaries being present on the build system.



      Alternatively, I've been looking for a way to mass clone not just our dependencies, but our dependencies' dependencies in some automated fashion to our local repositories. In theory, I could get my dependencies from my clones of the repository on both the dev clients and build servers, assured that the dependencies cannot change in any way, no matter how deep, unless I decide to change them manually. However, though I can certainly specify dependencies relative to a git repo URL in package.json, the package-lock.json file is the only file that actually contains all of the dependencies. And it does not reference git repo URLs, but some "resolved" URL that references a .tgz file provided by npmjs.org.



      Is there a way to force my NPM commands or the package-lock.json file to use custom repos for ALL dependencies, and point them to our clones?



      Am I missing some other method of achieving this goal? How have you solved this problem?



      Most articles and StackOverflow questions on the subject seem to either endorse the idea that NPM, combined with a checked in package-lock.json will always solve this problem, which is incorrect in our case. Or they recommend committing the node_modules folder (to which there is fanatical opposition from others).






      npm clone dependency-management







      share|improve this question
















      This is more of an architectural approach question than a specific programming issue.



      The situation:



      Due to issues like the left pad incident and dependencies that are releasing breaking changes without changing their version numbers, some build failures can occur without changing any project code or npm configuration information such as package.json and package-lock.json. My build system will run npm install on the repository and pull down the dependencies before each build. Even with a package-lock.json file committed and in play, the build can randomly fail (and recently has failed) due to changes in dependencies that I do not control.



      It has been decided, corporately, that we shall no longer allow this to happen.



      Considering the options, the easiest solution seems to be simply committing the node_modules folder with a known good configuration. However, I fear this may cause issues due to the different OS usage between developer clients and build systems, Mac and Linux, respectively. Apparently some dependencies will make environment-specific compilations upon install, and committing them will result in the wrong binaries being present on the build system.



      Alternatively, I've been looking for a way to mass clone not just our dependencies, but our dependencies' dependencies in some automated fashion to our local repositories. In theory, I could get my dependencies from my clones of the repository on both the dev clients and build servers, assured that the dependencies cannot change in any way, no matter how deep, unless I decide to change them manually. However, though I can certainly specify dependencies relative to a git repo URL in package.json, the package-lock.json file is the only file that actually contains all of the dependencies. And it does not reference git repo URLs, but some "resolved" URL that references a .tgz file provided by npmjs.org.



      Is there a way to force my NPM commands or the package-lock.json file to use custom repos for ALL dependencies, and point them to our clones?



      Am I missing some other method of achieving this goal? How have you solved this problem?



      Most articles and StackOverflow questions on the subject seem to either endorse the idea that NPM, combined with a checked in package-lock.json will always solve this problem, which is incorrect in our case. Or they recommend committing the node_modules folder (to which there is fanatical opposition from others).






      npm clone dependency-management




      npm clone dependency-management






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 22 '18 at 6:02







      Dwight

















      asked Nov 22 '18 at 5:56









      DwightDwight

      6071917




      6071917
























          0






          active

          oldest

          votes











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53424687%2fforce-npm-to-install-all-dependencies-from-custom-cloned-repositories%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53424687%2fforce-npm-to-install-all-dependencies-from-custom-cloned-repositories%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          MongoDB - Not Authorized To Execute Command

          Image
          .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 I have successfully enabled authorization on MongoDB and I have created an account on the admin database and then I created an account for my database called test. The following connection string to connect to my test database works successfully: mongo --host 192.168.17.52 --port 27017 -u user1 -p password --authenticationDatabase test Only problem I have now is, I cannot execute commands such as: show dbs. I get the following error when I try to do so: "errmsg" : "not authorized on admin to execute command { listDatabases: 1.0, lsid: { id: UUID("a1d5bc0d-bc58-485e-b232-270758a89455") }, $db: "admin...
          Read more

          How to fix TextFormField cause rebuild widget in Flutter

          Image
          .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 I've got the same issue at #9280. I tried all solutions from that topic with/without GlobalKey for Scaffold and Form but the problem wasn't fixed. I tried to build a authentication form with login and signup. But the keyboard doesn't show when I tap the TextFormField at the first time. Then I try to input some letter from physical keyboard, the widget is rebuilt. Like this: login screen Nothing to be log when I run flutter run --verbose, so I logged manually. Every tapping on field, the widget called dispose -> init -> build. [√] Flutter (Channel beta, v1.0.0, on Microsoft Windows [Version 10.0.17763.195], ...
          Read more

          Npm cannot find a required file even through it is in the searched directory

          Image
          up vote 0 down vote favorite I got that error: users-Air:pdfuploader user$ npm run start client@0.1.0 start /Users/user/Documents/pdfuploader react-scripts start Could not find a required file. Name: index.html Searched in: /Users/user/Documents/pdfuploader/public npm ERR! code ELIFECYCLE npm ERR! errno 1 npm ERR! client@0.1.0 start: `react-scripts start` npm ERR! Exit status 1 npm ERR! npm ERR! Failed at the client@0.1.0 start script. npm ERR! This is probably not a problem with npm. There is likely additional logging output above. npm ERR! A complete log of this run can be found in: npm ERR! /Users/user/.npm/_logs/2018-11-19T10_19_14_555Z-debug.log users-Air:pdfuploader user$ And the file is in /Users/user/Documents/pdfuploader/public as you can see in my github repository: https://github.c...
          Read more