Circle CI: Config may introduce inaccurate build results as it uses npm install over clean install for unit tests
Closed this issue · 3 comments
akashchouhan16 commented
About
- Currently, the Circle CI pipeline for running tests uses npm install which will attempt to update current dependencies whenever possible and can introduce security vulnerabilities.
npm ci
or the clean install command could ensure that only the specified/exact versions of the dependencies or devDependencies from thepackage
file are installed and used for Unit Tests on the product.
Suggested Change
Changing the config.yml for circle ci to use npm ci
instead of npm install
for the CI pipeline, or any other situations where you want to make sure you're doing a clean install of your dependencies as is, and not upgrading the dependencies for ci builds.
ibalosh commented
thank you for suggestion. We will see to update the circleCI steps to use npm ci
instead of npm install
in near future.
Unfortunately we can't accept the PR you provided since npm ci
is not supported by Node 4 and 5.
We will see to update circleCI steps in near future. We welcome PRs too.
akashchouhan16 commented