Circle CI: Config may introduce inaccurate build results as it uses npm install over clean install for unit tests
Closed this issue · 3 comments
akashchouhan16 commented
About
- Currently, the Circle CI pipeline for running tests uses npm install which will attempt to update current dependencies whenever possible and can introduce security vulnerabilities.
npm cior the clean install command could ensure that only the specified/exact versions of the dependencies or devDependencies from thepackagefile are installed and used for Unit Tests on the product.
Suggested Change
Changing the config.yml for circle ci to use npm ci instead of npm install for the CI pipeline, or any other situations where you want to make sure you're doing a clean install of your dependencies as is, and not upgrading the dependencies for ci builds.
ibalosh commented
thank you for suggestion. We will see to update the circleCI steps to use npm ci instead of npm install in near future.
Unfortunately we can't accept the PR you provided since npm ci is not supported by Node 4 and 5.
We will see to update circleCI steps in near future. We welcome PRs too.
akashchouhan16 commented