Skip to content

Component deploy: package-lock.json is now respected (breaking for enterprise npm registries) #681

Description

@kriszyp

In 4.5, the component deploy process changed to respect package-lock.json during npm install. Previously, deployments ignored the lockfile — dependencies were installed fresh from the public registry.

This breaks deployments for users whose package-lock.json contains references to an internal/enterprise npm registry (e.g. Artifactory, Nexus) that isn't accessible from Harper instances.

Customer workaround

Remove package-lock.json entirely from the deployed component package. Not viable long-term — it removes reproducibility from the build.

Ask

Either:

  1. Skip the lockfile during Harper deploy install — use npm install --no-package-lock or npm install --ignore-scripts to always resolve from the public registry (or from package.json's registry field). This was the implicit behavior before 4.5.
  2. Provide a config flagdeploy_component option to choose "honor lockfile" vs. "ignore lockfile" so operators can pick the right behavior for their network topology.

Related


🤖 Filed by Claude on behalf of Kris.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:componentsComponents / applications subsystembugSomething isn't workingfrom-jiraMigrated or originated from a Jira ticket

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions