Skip to content

Added package-lock.json, made gui build reproducible#1017

Merged
DJ2LS merged 2 commits into
DJ2LS:developfrom
as3ii:main
Oct 6, 2025
Merged

Added package-lock.json, made gui build reproducible#1017
DJ2LS merged 2 commits into
DJ2LS:developfrom
as3ii:main

Conversation

@as3ii

@as3ii as3ii commented Oct 2, 2025

Copy link
Copy Markdown
Contributor

Only node libraries can avoid having a package-lock.json. For applications it is required for better reproducibility.
See the official documentation: https://docs.npmjs.com/cli/v11/configuring-npm/package-lock-json#description

It describes the exact tree that was generated, such that subsequent installs are able to generate identical trees, regardless of intermediate dependency updates.

This file is intended to be committed into source repositories, and serves various purposes:

  • Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.
  • Provide a facility for users to "time-travel" to previous states of node_modules without having to commit the directory itself.
  • Facilitate greater visibility of tree changes through readable source control diffs.
  • Optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages.

@as3ii as3ii changed the base branch from main to develop October 3, 2025 23:41
@as3ii

as3ii commented Oct 3, 2025

Copy link
Copy Markdown
Contributor Author

changed PR's base branch

@DJ2LS

DJ2LS commented Oct 5, 2025

Copy link
Copy Markdown
Owner

I didn't add package-json.lock to the repository, as it will be generated automatically. Question is also, if we add a *.lock file, do we have to update the dependencies manually then? Or wouldn't it be easier, if it will be created automatically.

@as3ii

as3ii commented Oct 5, 2025

Copy link
Copy Markdown
Contributor Author

I didn't add package-json.lock to the repository, as it will be generated automatically. Question is also, if we add a *.lock file, do we have to update the dependencies manually then? Or wouldn't it be easier, if it will be created automatically.

as per npm documentation: the .lock file is needed if you want to have reproducible builds as it stores the precise version of all dependencies (and some downstream package systems requires it for this exact reason), so as to eliminate possible inconsistencies due to an inadvertently updated dependencies, and it allows to build old FreeDATA versions with the same old npm dependencies resulting in the same exact build. When you want to update the dependencies you just run npm update --package-lock-only and commit the new lock file

(PS. I've updated the lockfile to respect the last develop commits)

@DJ2LS

DJ2LS commented Oct 5, 2025

Copy link
Copy Markdown
Owner

Okay, thanks for the clarification! Then I would say, it's time for a merge? Anything else you want to add?

@as3ii

as3ii commented Oct 5, 2025

Copy link
Copy Markdown
Contributor Author

Okay, thanks for the clarification! Then I would say, it's time for a merge? Anything else you want to add?

on my end there is nothing else to do on this side 👍🏻

@DJ2LS DJ2LS merged commit 6a62a18 into DJ2LS:develop Oct 6, 2025
1 check was pending
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@as3ii @DJ2LS