In 4.5, the component deploy process changed to respect package-lock.json during npm install. Previously, deployments ignored the lockfile — dependencies were installed fresh from the public registry.
This breaks deployments for users whose package-lock.json contains references to an internal/enterprise npm registry (e.g. Artifactory, Nexus) that isn't accessible from Harper instances.
Customer workaround
Remove package-lock.json entirely from the deployed component package. Not viable long-term — it removes reproducibility from the build.
Ask
Either:
- Skip the lockfile during Harper deploy install — use
npm install --no-package-lock or npm install --ignore-scripts to always resolve from the public registry (or from package.json's registry field). This was the implicit behavior before 4.5.
- Provide a config flag —
deploy_component option to choose "honor lockfile" vs. "ignore lockfile" so operators can pick the right behavior for their network topology.
Related
🤖 Filed by Claude on behalf of Kris.
In 4.5, the component deploy process changed to respect
package-lock.jsonduringnpm install. Previously, deployments ignored the lockfile — dependencies were installed fresh from the public registry.This breaks deployments for users whose
package-lock.jsoncontains references to an internal/enterprise npm registry (e.g. Artifactory, Nexus) that isn't accessible from Harper instances.Customer workaround
Remove
package-lock.jsonentirely from the deployed component package. Not viable long-term — it removes reproducibility from the build.Ask
Either:
npm install --no-package-lockornpm install --ignore-scriptsto always resolve from the public registry (or frompackage.json'sregistryfield). This was the implicit behavior before 4.5.deploy_componentoption to choose "honor lockfile" vs. "ignore lockfile" so operators can pick the right behavior for their network topology.Related
npm install <pkg>for registry packages" touches the same install path.🤖 Filed by Claude on behalf of Kris.