通过ssh从git部署时，应该如何处理package-lock.json？

Question

I have a deployment process where I check code into a git repository, and via web hooks a deployment script is run on the production server. On that server, I connect to git using ssh and a .pem key, pull from git, npm install, build webpack and restart the service process.

I never intend to commit anything from the prod servers - they should be able to deploy automatically. However, this does not work, because the package-lock.json file is frequently updated when I run npm install , and so the next time I deploy, the git pull step fails, saying that I conflict with existing package-lock.json file because it has changes that are not committed.

My current solution is to .gitignore the package-lock.json file. But that defeats its purpose, to provide builds that are identical to the ones on my dev machine.

What would be the right way to handle package-lock.json ?

Answer 1

There's a helpful StackOverflow Question/Answer about why your package.lock is changing . The closest most useful answer seems to reference an NPM bug that's seeing much activity here in October 2017 .

But currently, package.json overrides package-lock.json , meaning if you use ~2.1 and there's a 2.2 version of that package, your production deploy will get upgraded.

Assuming you're not from the future, there's two different ideas here:

1. Use only non-prefixed, specific version numbers (2.1 vs ~2.0) in your package.json. (This is not great)
2. npm install --no-save ... which doesn't solve the underlaying issue of lock files getting ignored, but I think will keep the package-lock.json from being updated.