feat(builtin): use npm ci as default behaviour for installing node_mo…

…dules

To be more hermetic with the install of the dependencies use npm ci to install the exact version from the package-lock.json file.

To update a dependency use the vendored npm binary with `bazel run @nodejs//:npm install <dep-name>`.

Fixes bazel-contrib#159

WORKSPACE

@@ -221,6 +221,7 @@ npm_install(
         ".json",
         ".proto",
     ],
+    npm_ci = False,
     package_json = "//:tools/fine_grained_deps_npm/package.json",
     package_lock_json = "//:tools/fine_grained_deps_npm/package-lock.json",
     symlink_node_modules = False,

e2e/packages/WORKSPACE

@@ -19,6 +19,7 @@ npm_install(
     name = "e2e_packages_npm_install",
     args = ["--production"],
     data = ["//:postinstall.js"],
+    npm_ci = False,
     package_json = "//:npm1/package.json",
     package_lock_json = "//:npm1/package-lock.json",
     symlink_node_modules = False,
@@ -28,6 +29,7 @@ npm_install(
     name = "e2e_packages_npm_install_duplicate_for_determinism_testing",
     args = ["--production"],
     data = ["//:postinstall.js"],
+    npm_ci = False,
     package_json = "//:npm2/package.json",
     package_lock_json = "//:npm2/package-lock.json",
     symlink_node_modules = False,

e2e/symlinked_node_modules_npm/WORKSPACE

@@ -28,6 +28,7 @@ load("@build_bazel_rules_nodejs//:index.bzl", "npm_install")
 
 npm_install(
     name = "npm",
+    npm_ci = False,
     package_json = "//:package.json",
     package_lock_json = "//:package-lock.json",
     quiet = False,

examples/kotlin/WORKSPACE

@@ -17,6 +17,11 @@ load("@build_bazel_rules_nodejs//:index.bzl", "npm_install")
 npm_install(
     # Name this npm so that Bazel Label references look like @npm//package
     name = "npm",
+    # Set this to true in a real world example (the default value is true), to have hermetic
+    # builds and use npm ci in favour of npm install. We have to disable this here as the @bazel
+    # scoped packages are getting replaced in the package.json with a file url and the version
+    # won't match with the one in the lock file then.
+    npm_ci = False,
     package_json = "//:package.json",
     package_lock_json = "//:package-lock.json",
 )

examples/parcel/WORKSPACE

@@ -29,6 +29,11 @@ load("@build_bazel_rules_nodejs//:index.bzl", "npm_install")
 
 npm_install(
     name = "npm",
+    # Set this to true in a real world example (the default value is true), to have hermetic
+    # builds and use npm ci in favour of npm install. We have to disable this here as the @bazel
+    # scoped packages are getting replaced in the package.json with a file url and the version
+    # won't match with the one in the lock file then.
+    npm_ci = False,
     package_json = "//:package.json",
     package_lock_json = "//:package-lock.json",
 )

examples/vendored_node/WORKSPACE

@@ -46,6 +46,11 @@ npm_install(
     data = [
         "@vendored_node_10_12_0//:node-v10.12.0-linux-x64/bin/node",
     ],
+    # Set this to true in a real world example (the default value is true), to have hermetic
+    # builds and use npm ci in favour of npm install. We have to disable this here as the @bazel
+    # scoped packages are getting replaced in the package.json with a file url and the version
+    # won't match with the one in the lock file then.
+    npm_ci = False,
     package_json = "//:package.json",
     package_lock_json = "//:package-lock.json",
 )

examples/vue/WORKSPACE

@@ -17,6 +17,11 @@ node_repositories(package_json = ["//:package.json"])
 
 npm_install(
     name = "npm",
+    # Set this to true in a real world example (the default value is true), to have hermetic
+    # builds and use npm ci in favour of npm install. We have to disable this here as the @bazel
+    # scoped packages are getting replaced in the package.json with a file url and the version
+    # won't match with the one in the lock file then.
+    npm_ci = False,
     package_json = "//:package.json",
     package_lock_json = "//:package-lock.json",
 )

internal/npm_install/npm_install.bzl

@@ -206,7 +206,16 @@ def _npm_install_impl(repository_ctx):
     is_windows_host = is_windows_os(repository_ctx)
     node = repository_ctx.path(get_node_label(repository_ctx))
     npm = get_npm_label(repository_ctx)
-    npm_args = ["install"] + repository_ctx.attr.args
+
+    # Use npm ci to have hermetic installs that only install the exact version
+    # from the package-lock.json file. To update or install a different version
+    # use the bazel managed binary `bazel run @nodejs//:npm install`.
+    if repository_ctx.attr.npm_ci:
+        npm_args = ["ci"]
+    else:
+        npm_args = ["install"]
+
+    npm_args.extend(repository_ctx.attr.args)
 
     # If symlink_node_modules is true then run the package manager
     # in the package.json folder; otherwise, run it in the root of
@@ -303,6 +312,18 @@ npm_install = repository_rule(
 See npm CLI docs https://docs.npmjs.com/cli/install.html for complete list of supported arguments.""",
             default = [],
         ),
+        "npm_ci": attr.bool(
+            default = True,
+            doc = """Use the `npm ci` command instead of `npm install.
+
+Don’t generate a `package-lock.json` and fail if an update is needed.
+This mode enables an exact install of the version that is specified in the `package-lock.json`
+file. It will remove the node_modules before performing an install.
+To update a dependency or install a new one run the `npm install` command with the
+vendored npm binary. `bazel run @nodejs//:npm install`. You can pass the options like
+`bazel run @nodejs//:npm install -- -D <dep-name>`.
+""",
+        ),
         "package_lock_json": attr.label(
             mandatory = True,
             allow_single_file = True,