Question: Is there a smooth way to use different args with npmInstall in different situations?
Closed this issue ยท 3 comments
I'm hoping that I've just missed an obvious way to do something. Most of the time I want a task to depend on npmInstall, I'm happy to have it just invoke npm ci. However, when preparing my node_modules directory to be scanned for vulnerabilities, I wan't to exclude dev-only dependencies using npm ci --omit=dev. Is there an easy way to do that? I'd be fine with having two different instances of npmInstall task and setting up a dependency on the right one based on which of my tasks I'm in. Would that make sense?
Oh... would it be as simple as doing something like the following (Kotlin syntax):
tasks.register<NpmInstallTask>("npmInstallNoDev") {
args.set(listOf("--omit=dev"))
}
Update: that worked! ๐ I'd be willing to close this, but would it make sense to document it explicitly somewhere? If you feel like the existing docs already cover it, it would be great to add a link here.
Having multiple NpmInstallTask should be fine ๐
But there's some things you might want to consider given that they both operate on the same state
Other tasks might have a dependency causing npmInstall to run (before or after the --omit=dev)
Do you use remote or local caches? Does --omit=dev have any effect on your distribution?
This to me looks like something that runs in its own CI pipeline and if so it sounds like it should be fine, but if not it might be worth introducing a configurable property or creating a temporary working directory for running the second npm install and security scan in
Thanks! Good guess on the last part. Yes, it runs in its own CI pipeline, so it shouldn't result in any side effects for other builds. I like your idea of making it configurable (property, env var, etc.) though.