package.json: Updating Fixed Versions with npm-check

One of the common problems when running a larger project is that you need to use fixed versions in your package.json file. But at the same time you need to regularly update your packages.
The most elegant way is using npm-check. The small tool allows you to select which packages should get an update and update accordingly.

Installation

npm i -g npm-check

Usage

To update the packages in your project you now simply run npm-check -u. If you want to ensure that you are installing the exact package run it with the additional optional flag -E to ensure exact-versions.

npm-check -u -E

With Space you select the packages and with Enter you install the package.

Disable the package-lock.json file

With NPM 5, npm has started to create a “package-lock.json” file.
It ensures that some dependency tree is identical on every developers environment. Official Documentation.

Now, that may be important on some projects. In my personal projects I do not really care. And in the professional projects I did not have any issues how things were done before.

Actually with the new way of doing things, you must first remove the package-lock.json file and then run “npm update” to install newer versions of stuff. Then again, this can cause problems as when some other person also creates the package-lock file, or a merge conflict occurs etc. In the end totally defeating the purpose of the file.

Disabling the Package Lock File for a Project

  1. Create a file called .npmrc
  2. Open the file and add the line package-lock=false

Global Disable

If you currently want to disable the behavior on all projects run

npm config set package-lock false

In the future the feature may be more easy to use. For now I at least will stick to the old way of how to do things.

Git: Hooks run “npm install” on checkout

When working on a project you usually install various packages from npm.
Of course these packages are maintained and updated, adding more features and security fixes, and stability patches.

One person on your team should run npm outdated once per week to see what all has been updated and test if you can integrate the packages into your project.
Thus the package.json is updated and causes a grand problem for all other developers on the project. If a package has major breaking changes the code will need to be adjusted, however that code will not run on the other develoepers environment. The other developers working on the project they have to run npm update to install the missing / outdated packages in their environment.

The solution to this problem are “git hooks”, essentially git can execute code on specific events, like before commiting your code, or pre push etc.
git hooks. For my use case I would like to run npm update after a developer checks out from the git repository, this is the event “post-checkout”.

Native Git Hooks

To create a git hook you need to add a file in your project called .git/hooks/post-checkout (On linux add the executable bit with chmod +x)

You will test this and say, yes this works as intended – lets commit it to the repository. – Now you will discover that you cannot commit files in .git to the repository.
In fact git does not allow you to do this, due to security concerns as git hooks can execute any shell script.

The work around for this issue is to simply add it into a folder called git-hooks/ and tell the developers to copy the file when they set up their dev environment.

Husky

As always if there is a Problem for development with javascript there is a npm package to solve the problem.
Husky uses the package.json to define the scripts that are executed via git hooks.
Simply Install Husky
npm install husky -D

Then edit the package.json:

The Husky solution would also allow you to execute your own js file, maybe also doing some cleanup of files or running tests etc.

NPM: Use Github Patch Instead of Repository

Recently I was playing around with the HEXO static site generator.
For my setup I was using Hexo in combination with Gitlab CI and the ftp deploy method.

The module hexo-deployer-ftpsync has an issue that you need to manually confirm that the ftp deployment succeded.
In essence it does not exit on its own, thus a CI environment would not be able to automatically verify the success or failure of the build, it would just run forever.

Github allows you to fork existing code, improve upon it and issue a pull request, that your code will be integrated into the main software build.
I changed a couple of lines to ensure that the ftp deploy process would terminate.

To use my patch instead of the current master build of the module you need to adjust the package.json file.
Simply replace the version-number with the github url <username/project>#

Original: With Version Number

New: With github path to patch

If the owner of the project integrates my suggestion on how to fix the bug, then the line can be changed back to the offical master branch of the code.
However for the time being, gitlab CI uses the alternative code and successfully deploys my code to the server.