NPM Shrinkwrap? about nodegoat HOT 8 CLOSED

Hey Andri,

I was not aware of npm shrinkwrap. I just read about it and like the idea. This would ensure consistent builds, without us needing to maintain the modules code.

I would prefer to treat dev dependencies in the same way, so running shrinkwrap with --dev flag. What do you suggest?

from nodegoat.

I have a feeling running it with --dev means development dependencies might get installed on the production machine as well. But if that's not a problem, go ahead.

from nodegoat.

Good point. One of the reasons I committed modules initially was to have consistent dev environment, especially grunt's version. So I think the little overhead of deploying dev dependencies to prod should be fine.

Would you like to work on this change?

from nodegoat.

Worth noting, npm install will install the exact copies of modules as specified in the package.json file so there is no need for checking in modules into version control. The benefit of npm install is that it will build the package for the OS architecture. For example, bcrypt will break between Windows, Linux etc.

from nodegoat.

@jksdua Thanks for the comment. While package.json can control exact versions of packages explicitly specified in package.json, it can't control recursive dependencies of external packages. Shrinkwrap allows us to do that w/o needing to check-in these dependencies. Please feel free to assign this issue to yourself if you want to assist on incorporating shrinkwrap.

from nodegoat.

@ckarande Sounds good.

I am thinking the following:

• Add a pre-commit hook which will run npm shrinkwrap when new dependencies are installed. The new npm-shrinkwrap.json will then automatically be added to the commit.
• Add node_modules to .gitignore

from nodegoat.

@jksdua Perfect! Thanks. Feel free to send a pull request once ready.

from nodegoat.

We will not use shrinkwrap, as having npm dependencies added in code makes it easier it deploy on BWA VM instances w/o network connectivity

from nodegoat.