update composer and npm metadata files

[julien-nc]

Those files are local and don't need to be tracked by the repo.

[tacruc]

#292 (comment)

[julien-nc]

Ok thanks for pointing to the comment.

Still it's a bit annoying since it seems only required to avoid the automatic npm "test" to fail. I would prefer to get rid of those and to make changes in the proper place to generate them before calling npm ci. What do you think?

[tacruc]

I have no preference, but maybe @gary-kim or @ChristophWurst pointing this out at the first time.

[gary-kim]

The point of dependency lock files are to ensure everyone has the exact same set of dependencies installed, no matter their environment. They are meant to be in the repo. They help make sure there are never any bugs that arise from having a different version of a dependency, speed up installing dependencies, and also help with security by storing the hash of all dependencies.

The documentation for the files specify that they are meant to be committed into source control.
package-lock.json documentation && composer.lock documentation

There's also some documentation about the reasons for lockfiles in npm here

Whenever updates are required for dependencies for Javascript, npm, or in our case, dependabot, will automatically update the package-lock.json file as well. The same will happen for composer dependencies as well.

EDIT: Just realized, that sounds a little more confrontational than I was intending. Just trying to be constructive, sorry if I come off a bit harsh.

[julien-nc]

@gary-kim Ok thanks for the explanation. So we should not pay attention to the fact we will commit them often? We just commit them and that's it?

[gary-kim]

Normal changes should not be updating the lockfiles unless they involve changing dependencies. The fact that the app store template includes composer update as part of the setup process is strange. @ChristophWurst do you know why that's there?

maps/Makefile

Lines 79 to 83 in c5e1f99

	php $(build_tools_directory)/composer.phar install --prefer-dist
	php $(build_tools_directory)/composer.phar update --prefer-dist
	else
	composer install --prefer-dist
	composer update --prefer-dist

[julien-nc]

Thanks a lot for looking into it!

It might just be something to fix in the Makefile indeed.

[ChristophWurst]

@ChristophWurst do you know why that's there?

Good catch. That doesn't seem right. Please fix the Makefile and also submit that for the template.

[ChristophWurst]

No, they should be commited. The will only change when you add/update/delete a dependency.

[julien-nc]

Thanks for #314.

So I reverted everything on this branch, merged with master and ran make which updated package-lock.json. All clear?

[gary-kim]

That's strange. What version of npm and node do you have installed? My system doesn't make that change.

[julien-nc]

Node version is v10.15.2 and npm is 5.8.0.

After upgrading npm to 6.13.7, package-lock.json is not changed anymore by running make.

Should we close this or is there anything left to do?