Document package-lock.json usage

[evbo]

How can the generated package-lock.json be version controlled outside of the target directory and integrated as part of the fastOpt/fullOpt build?

I think the easy part is copying the resulting package-lock.json to a resources directory, but then how would I tell scalajs-bundler to use that managed copy of it for all future builds (especially in a build environment where a pre-existing target directory is never cached)?

In case more context is needed, this npm feature allows you to confidently release software knowing it is exactly the same by preventing any dependencies (or dependencies of your dependencies) from being updated. I've already released 2 bugs that were completely out of my control because seconds before my release a third party released a "patch" update that had breaking changes accidentally. Having the package-lock.json under sbt control, or even just some brief documentation on how to control it from sbt would therefore be highly appreciated.

[julienrf]

scalajs-bundler was designed just before the introduction of the package-lock.json file and indeed it doesn’t integrate well with it. We should probably:

• introduce a new setting: npmPackageLockDirectory: SettingKey[File], with a default value of baseDirectory.value,
• add some logic to copy the npmPackageLockDirectory.value / "package-lock.json" file to the (npmUpdate / crossTarget).value directory before running the npmInstallDependencies task, and then to copy the content of the updated package-lock.json file back to the npmPackageLockDirectory.value directory, after the npmInstallDependencies task has run.

[evbo]

I'm not sure but I may have found a simple work around:

Place package-lock.json in src/main/resources and then copy those assets:

webpackResources := resourceDirectory.in(Compile).value ** "*" filter { _.isFile }

I'm not sure how to test if this is working, but I've tried changing: "lockfileVersion": 1

to: "lockfileVersion": 9,

and I'm getting affirming message:

This version of npm is compatible with lockfileVersion@1, but npm-shrinkwrap.json was generated for lockfileVersion@9. I'll try to do my best with it! 

[julienrf]

Thanks for sharing your experiments :)

Using the webpackResources mechanism is an interesting solution. We should just update the documentation. However, I wouldn’t use the resourceDirectory but rather the baseDirectory:

webpackResources += (Compile / baseDirectory).value / "package-lock.json"

The concept of “resource” does not really make sense in Scala.js, but the resourceDirectory is usually reserved for files that end up being packaged with the application.

So, one way to fix this issue would be to extend the default value of webpackResources to include not only .js files but also .json files (which makes sense because they can be imported by node). What do you think?

[evbo]

I think the only remaining "nice to have" implementation detail would be the one you mentioned in your earlier comment - for changes to package.json that override package-lock.json to be applied to your version controlled copy of package-lock.json (the one in your project base).

I say "nice to have" because if you personally update npmDependencies then you ought to remember to also update your package-lock.json file, but this would help prevent sync issues.

[julienrf]

Right, I forgot that part. So, we probably have to implement some logic for the specific case of managing the package-lock.json file.

[vhiairrassary]

The issue is a bit old but here is a PR to save package-lock.json, similarly to what is done for yarn: #392

[evbo]

@vhiairrassary I am now learning that npm ci is the most certain way to build using a package-lock.json file. Have you ever tried running that command through scalajs-bundler?

#406

[evbo]

@vhiairrassary I just had a weird outcome where package-lock is getting generated that contained old dependencies after I removed them all from my build.sbt. UPDATE I realize now what is going on: It seems your change produces a package lock file in the root directory of the project so it was getting scooped up without me realizing it (I keep package lock in my resources folder). Is there anyway to change the directory in which it places it?