-
-
Notifications
You must be signed in to change notification settings - Fork 739
feat: Respect the package-lock.json for a NodeJS Lambda function #681
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Respect the package-lock.json for a NodeJS Lambda function #681
Conversation
aadf043 to
4e390d0
Compare
Respect the `package-lock.json` so NodeJS Lambda for reproducible builds which are critical in production environments. Similarly like for the Poetry, copy a lock file, if such is present, to a temporary build directory. npm will use a `package-lock.json` file when available in a working directory. In the example `package.json`, require lower `requests` version to demonstrate `package-lock.json` usage. `package.json` specifies `~0.2.0` and the latest available matching version is `0.2.2`, but `package-lock.json` freezes version `0.2.1` and that version gets installed with this change, while previously the `0.2.2` would be installed.
4e390d0 to
5b70e1d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did not test, but code changes LGTM!
This PR has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this PR will be closed in 10 days
I have forked the repository, and we have been using the patched module in production at my company for almost a month now with no issues. Could it be included in the next release so that we can switch back to the original module, please?
This PR has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this PR will be closed in 10 days
@antonbabenko, could you please consider this PR? We have used the fix in production for almost two months without any issues. It would be nice if we could switch back to the official repo.
This PR has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this PR will be closed in 10 days
@antonbabenko, could you please consider this PR? We have used the fix in production for almost three months without any issues. It would be nice if we could switch back to the official repo.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, I used Graphite to help me review it.
5e4391c
into
terraform-aws-modules:master
## [8.1.0](v8.0.1...v8.1.0) (2025年08月22日) ### Features * Respect the package-lock.json for a NodeJS Lambda function ([#681](#681)) ([5e4391c](5e4391c))
This PR is included in version 8.1.0 🎉
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Uh oh!
There was an error while loading. Please reload this page.
Description
Respect the
package-lock.jsonso NodeJS Lambda for reproducible builds, which are critical in production environments. Similarly, like for the Poetry, copy a lock file, if such is present, to a temporary build directory. npm will use apackage-lock.jsonfile when available in a working directory.In the example
package.json, require a lowerrequestsversion to demonstratepackage-lock.jsonusage.package.jsonspecifies~0.2.0and the latest available matching version is0.2.2, butpackage-lock.jsonfreezes version0.2.1and that version gets installed with this change, while previously the0.2.2would be installed.Motivation and Context
npmbecause thepackage-lock.jsonis not copied to a temporary build directory.Breaking Changes
package-lock.jsonis not present in the source directory.package-lock.jsonis present, it will be honoured going forward, by default, which would be an expected behaviour. This should be desired because a new version of a dependency might unexpectedly break a deployment, as mentioned in the package.py should respect package-lock.json when creating an archive for Node.js lambda functions. #423 , while locked dependencies would have been tested in unit tests. If someone doesn't want to lock their dependencies, they shouldn't have a lock file.How Has This Been Tested?
examples/*to demonstrate and validate my change(s)examples/*projectsterraform applyinexamples/build-package/(with commented out irrelevant Python examples for clarity).buildsdirectory, I checked whether the zip file's content appeared as expected.requests-0.3.0dependency.reqests-0.2.1dependency, as expected.pre-commit run -aon my pull request