Skip to content

feat: Respect the package-lock.json for a NodeJS Lambda function #681

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat: Respect the package-lock.json for a NodeJS Lambda function #681

wants to merge 2 commits into from

Conversation

az-wegift
Copy link

@az-wegift az-wegift commented May 20, 2025
edited
Loading

Description

Respect the package-lock.json so NodeJS Lambda for reproducible builds, which are critical in production environments. Similarly, like for the Poetry, copy a lock file, if such is present, to a temporary build directory. npm will use a package-lock.json file when available in a working directory.

In the example package.json, require a lower requests version to demonstrate package-lock.json usage. package.json specifies ~0.2.0 and the latest available matching version is 0.2.2, but package-lock.json freezes version 0.2.1 and that version gets installed with this change, while previously the 0.2.2 would be installed.

Motivation and Context

Breaking Changes

  • Nothing changes when package-lock.json is not present in the source directory.
  • When package-lock.json is present, it will be honoured going forward, by default, which would be an expected behaviour. This should be desired because a new version of a dependency might unexpectedly break a deployment, as mentioned in the package.py should respect package-lock.json when creating an archive for Node.js lambda functions. #423, while locked dependencies would have been tested in unit tests. If someone doesn't want to lock their dependencies, they shouldn't have a lock file.

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
    • I have added new examples to demonstrate my change and preserved old ones to demonstrate it did not break them.
  • I have tested and validated these changes using one or more of the provided examples/* projects
    • I ran terraform apply in examples/build-package/ (with commented out irrelevant Python examples for clarity).
    • In the builds directory, I checked whether the zip file's content appeared as expected.
      • Old examples install requests-0.3.0 dependency.
      • New examples install reqests-0.2.1 dependency, as expected.
  • I have executed pre-commit run -a on my pull request
    • It automatically added new examples to the list.

@az-wegift az-wegift force-pushed the npm_lock_file branch 2 times, most recently from aadf043 to 4e390d0 Compare May 20, 2025 17:04
feat: Respect the package-lock.json for a NodeJS Lambda function
5b70e1d 
Respect the `package-lock.json` so NodeJS Lambda for reproducible builds
which are critical in production environments. Similarly like for the
Poetry, copy a lock file, if such is present, to a temporary build
directory. npm will use a `package-lock.json` file when available in
a working directory.

In the example `package.json`, require lower `requests` version to
demonstrate `package-lock.json` usage. `package.json` specifies
`~0.2.0` and the latest available matching version is `0.2.2`, but
`package-lock.json` freezes version `0.2.1` and that version gets
installed with this change, while previously the `0.2.2` would be
installed.
@az-wegift az-wegift changed the title feat: Respect the package-lock.json for a NodeJS Lambda function (#423) feat: Respect the package-lock.json for a NodeJS Lambda function May 20, 2025
@antonbabenko antonbabenko requested a review from pdecat May 20, 2025 18:43
pdecat
pdecat approved these changes May 20, 2025
View reviewed changes
Copy link
Contributor

@pdecat pdecat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did not test, but code changes LGTM!

@github-actions GitHub Actions
Copy link

This PR has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this PR will be closed in 10 days

@github-actions github-actions bot added the stale label Jun 20, 2025
@az-wegift
Copy link
Author

I have forked the repository, and we have been using the patched module in production at my company for almost a month now with no issues. Could it be included in the next release so that we can switch back to the original module, please?

@github-actions github-actions bot removed the stale label Jun 21, 2025
@github-actions GitHub Actions
Copy link

This PR has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this PR will be closed in 10 days

@github-actions github-actions bot added the stale label Jul 21, 2025
@az-wegift
Copy link
Author

@antonbabenko, could you please consider this PR? We have used the fix in production for almost two months without any issues. It would be nice if we could switch back to the official repo.

@github-actions github-actions bot removed the stale label Jul 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pdecat pdecat pdecat approved these changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@az-wegift @pdecat