Should probably do clean install

[gcohler]

In https://docs.openem.org/install/, installation step 3 which currently reads:

npm install @openem/em-sdk --prefix ~/.em-sdk

should probably be npm ci rather than npm install

[biosbob]

a little bit of a catch-22 here.... step 3 assumes this is a newly-created folder which (most important!!) does NOT have any package*.json files.... these together with the node_modules are created at the first install....

needless to say, npm ci would work after this initial install -- but i'm not sure to what advantage.... i suppose this would replace the "brute-force" reinstall???

npm upgrade would still be used to move forward (or at least confirm that you're up-to-date

correct me if i'm wrong, but the initial install into an empty will not work with npm ci....

[gcohler]

No, I don't believe it's a catch-22. I think the process goes something like this:

One time:

• developer does an npm install -- which creates a package-lock.json file that represents the exact version number of every package directly or indirectly required by the app
• developer then tests operation of the code.
• developer commits the generated package-lock.json (along with everything else to the repository once testing is complete.

Thereafter:

• users do npm clean-install -- which uses the package-lock.json to load all the direct and indirect packages.

Thus:

• users are assured that they are using the exact same package versions that the developer used and tested.
• without this, every install may be using different versions of dependencies -- including some that were never tested.

[biosbob]

hmmmm..... by "developer" you mean somebody in the kitchen, and by "user" you mean a customer at the restaurant???

i'm still now sure how does the "user" receives the package-lock.json file created by the "developer"....

FWIW, the npm package itself is not hosted at github....

[gcohler]

The package-lock.json comes alongside the package.json -- i.e it's in the tarball that is stored in the NPM registry.

[gcohler]

So when you say: npm install or npm clean-install X -- it goes to the registry and looks for a package with the name X -- and then it downloads the package (which contains both package and package-lock json files) -- and then it performs the actions described for the installation. The major difference AFAIK between clean-install and install is that ci uses the package-lock.json file to "lock" the versions -- where i installs according to the rules at the time of the install. So with install, you can only control what dependencies you have -- but not the dependencies that your dependencies have. With clean-install, you control the entire DAG of dependencies.

So with install, you get a potentially different set of packages every time you install -- but with clean-install, you get the same set of packages every time you install.

[gcohler]

hmmmm..... by "developer" you mean somebody in the kitchen, and by "user" you mean a customer at the restaurant???

By developer I mean you. ;-) And by user I mean people who want to use Em -- but not create Em and it's tools. I was being relative to EM and its tools -- not to software development in general.

[gcohler]

FWIW, the npm package itself is not hosted at github....

It doesn't matter how the em-sdk package is created. In the end, it's a tarball stored in a registry. What I'm talking about is what is inside the tarball; most notably, the package.json and package-lock.json files.

[biosbob]

i know that, but it still begs the question i posed originally.... here's what happens when (as a "user") i do an npm ci ... into an empty em-sdk folder:

(base)
[~]
$ cd em-sdk
(base)
[~/em-sdk]
$ ls
(base)
[~/em-sdk]
$ npm clean-install @openem/em-sdk --prefix ./
npm ERR! code EUSAGE
npm ERR!
npm ERR! The `npm ci` command can only install with an existing package-lock.json or
npm ERR! npm-shrinkwrap.json with lockfileVersion >= 1. Run an install with npm@5 or
npm ERR! later to generate a package-lock.json file, then try again.

as it says here, i need to do an "ordinary" npm install to first create the package-lock.json file.... remember, the "user" never really did an npm init to create a "user package" which would then depend upon the em-sdk package....

[gcohler]

i know that, but it still begs the question i posed originally.... here's what happens when (as a "user") i do an npm ci ... into an empty em-sdk folder

No, it shows that the existing tarball doesn't contain a package-lock.json file -- which is a fault in your process -- not the EM user's. There is no problem if the .em-sdk folder is completely empty at the start.

So the process (for you) would be something like this:

• Do an 'npm install' -- which creates a package-lock.json file (among other things)
• Test the sofware to be sure it works per your test vectors.
• Create the tarball -- including the package-lock.json file.
• Push the tarball to the NPM registry

[biosbob]

got it.... part of a larger task to "clean up the kitchen" and fix this (and other) processes that are questionable....

help wanted here 😉

[biosbob]

resolved in the new install infrastructure....