package-lock.json is sometimes out of sync
proletarius101 opened this issue · 3 comments
package-lock.json in some commits, e.g. d1c46e6 specified by https://github.com/bitwarden/desktop/, is out of sync with package.json.
How to test? npm ci
This is quite problematic when building https://github.com/flathub/com.bitwarden.desktop/, where the build process is offline and deps are cached beforehand.
Although https://github.com/bitwarden/jslib/commits/master seems to be good now, it seems that your lockfile update procedure might have some non-standard steps.
Thanks @proletarius101 , have noticed this a few times as well, we'll add it to our PR review process to ensure package updates keep those in-sync.
@cscharf BTW, I observe that duplicated dependencies are in jslib, the root of bitwarden/desktop and bitwarden/desktop/src.
According to https://www.electron.build/tutorials/two-package-structure,
If you use the two-package.json project structure, you’ll only have your devDependencies in your development package.json and your dependencies in your app package.json.
Although there is a special case that bitwarden/desktop uses webpack to build angular related code and electron-builder to glue all code, it's useless and error-prone to copy all deps in jslib and bitwarden/desktop/src to the root of bitwarden/desktop. You can't even easily ensure their versions in-sync. Better to remove those non-angular-related deps from the root of bitwarden/desktop.
Thanks @proletarius101 , please feel free to submit a PR illustrating how you feel these would be best structured. I'm not sure when we would be able to get around cleaning that up.