chore: use npm ci instead of npm install in server.py --build flag#3331
Open
chore: use npm ci instead of npm install in server.py --build flag#3331
Conversation
Use npm ci for deterministic builds from package-lock.json, with fallback to npm install when package-lock.json is missing.
Contributor
There was a problem hiding this comment.
Pull request overview
Switches the frontend dependency install step in server.py --build to prefer npm ci for reproducible builds based on package-lock.json.
Changes:
- Detects presence of
package-lock.jsonin the frontend directory. - Runs
npm ciwhen the lockfile exists; otherwise falls back tonpm installwith a warning. - Keeps the existing
npm run buildstep unchanged.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
server.py
Outdated
| logging.info("Building VueJS front-end.") | ||
| subprocess.run(["npm", "install"], cwd=MAGMA_PATH, check=True) | ||
| package_lock = os.path.join(MAGMA_PATH, "package-lock.json") | ||
| if os.path.exists(package_lock): |
server.py
Outdated
Comment on lines
+292
to
+293
| logging.warning("package-lock.json not found, falling back to npm install") | ||
| subprocess.run(["npm", "install"], cwd=MAGMA_PATH, check=True) |
- Use os.path.isfile() instead of os.path.exists() for package-lock.json check to avoid false positives from directories with that name - Raise FileNotFoundError instead of falling back to npm install when package-lock.json is missing, preserving reproducible-build guarantee
Contributor
There was a problem hiding this comment.
Pull request overview
Switches the server-side build step for the VueJS frontend from npm install to npm ci to ensure reproducible builds using package-lock.json.
Changes:
- Replace
npm installwithnpm ciduring--buildfrontend compilation. - Add an explicit check for
package-lock.jsonand raise a clear error when it’s missing.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
server.py
Outdated
Comment on lines
+292
to
+296
| raise FileNotFoundError( | ||
| f"package-lock.json not found at {package_lock}. " | ||
| "A lockfile is required for reproducible builds. " | ||
| "Commit package-lock.json or run 'npm install' locally to generate it." | ||
| ) |
…sing Raising FileNotFoundError on --build crashes the server when the frontend is optional. Instead, log a warning and gracefully skip the frontend build step.
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the --build workflow for the VueJS frontend to prefer deterministic installs by using npm ci (lockfile-driven) rather than npm install (may resolve newer versions).
Changes:
- Switch frontend dependency install from
npm installtonpm ciwhenpackage-lock.jsonis present. - If
package-lock.jsonis missing, warn and skip the frontend build.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+294
to
+299
| logging.warning( | ||
| f"[bright_yellow]package-lock.json not found at {package_lock}. " | ||
| "A lockfile is required for reproducible builds. " | ||
| "Skipping frontend build. Commit package-lock.json or run " | ||
| "'npm install' locally to generate it.[/bright_yellow]" | ||
| ) |
Comment on lines
+290
to
+299
| subprocess.run(["npm", "ci"], cwd=MAGMA_PATH, check=True) | ||
| subprocess.run(["npm", "run", "build"], cwd=MAGMA_PATH, check=True) | ||
| logging.info("VueJS front-end build complete.") | ||
| else: | ||
| logging.warning( | ||
| f"[bright_yellow]package-lock.json not found at {package_lock}. " | ||
| "A lockfile is required for reproducible builds. " | ||
| "Skipping frontend build. Commit package-lock.json or run " | ||
| "'npm install' locally to generate it.[/bright_yellow]" | ||
| ) |
Comment on lines
+288
to
+295
| package_lock = os.path.join(MAGMA_PATH, "package-lock.json") | ||
| if os.path.isfile(package_lock): | ||
| subprocess.run(["npm", "ci"], cwd=MAGMA_PATH, check=True) | ||
| subprocess.run(["npm", "run", "build"], cwd=MAGMA_PATH, check=True) | ||
| logging.info("VueJS front-end build complete.") | ||
| else: | ||
| logging.warning( | ||
| f"[bright_yellow]package-lock.json not found at {package_lock}. " |
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
npm install uses package.json which can update versions. npm ci uses package-lock.json for reproducible builds.