From 9a85fc8e7652fe5983ea05f46ba634f2974f9829 Mon Sep 17 00:00:00 2001 From: Tom Byers Date: Wed, 17 Sep 2025 15:11:59 +0100 Subject: [PATCH] Change `npm install` to `npm ci` Running `npm install` will change the dependencies in node_modules and what is listed in package-lock.json if the dependencies in package-lock.json don't match the dependency tree possible for the versions specified in package.json. Running `npm ci` deletes node_modules at the start and installs exactly what's in package-lock.json, irrelevant of whether any sub-dependencies of the packages listed in package.json have newer versions allowed by their semver ranges or not. A nicer way to explain might be this example: If the 'standard' package changes by a patch version and we run `npm install`: 1. its version includes the '^' prefix so allows patch and minor version bumps 2. the new version would be installed into node_modules 3. package-lock.json would be updated to reference the new version 4. `npm install` is then run on the new version of 'standard', checking for the latest versions of its dependencies allowed and installing them, all the way down the tree If the 'standard' package changes by a patch version and we run `npm ci`: 1. the node_modules folder is emptied 2. all the dependencies listed in package-lock.json are installed at the versions specified So in the second example, `npm ci` ignores the new patched version because it only goes by what's in package-lock.json. I think we want the later behaviour, because it splits updates out into a separate step and stops them happening during gem installation. References: - https://docs.npmjs.com/cli/v11/commands/npm-install - https://docs.npmjs.com/cli/v11/commands/npm-ci --- govuk_tech_docs.gemspec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/govuk_tech_docs.gemspec b/govuk_tech_docs.gemspec index 3ee90f42..97470b85 100644 --- a/govuk_tech_docs.gemspec +++ b/govuk_tech_docs.gemspec @@ -4,8 +4,8 @@ lib = File.expand_path("lib", __dir__) $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib) require "govuk_tech_docs/version" -`npm install` -abort "npm install failed" unless $CHILD_STATUS.success? +`npm ci` +abort "npm ci failed" unless $CHILD_STATUS.success? unless File.exist?("node_modules/govuk-frontend/dist/govuk/all.scss") abort "govuk-frontend npm package not installed"