The gitlab-runner cache is useless with `meteor npm ci` command
The current pipeline runtime is around 7 minutes 30 seconds, looking at why it's so long, I found 2 related topics about npm package managers:
meteor npm ci vs meteor npm install
The meteor npm ci command removes the node_modules if it's present.
- The first run execute around 50s
root@e6522b6e68c0:~/laboite/app# time meteor npm ci > app@3.3.3 preinstall /root/laboite/app > npx npm-force-resolutions […] added 718 packages in 47.796s real 0m48.594s user 0m41.385s sys 0m8.735s - The second run is a little longer
root@e6522b6e68c0:~/laboite/app# time meteor npm ci npm WARN prepare removing existing node_modules/ before installation [..................] / : WARN prepare removing existing node_modules/ before installation […] added 718 packages in 51.201s real 0m51.963s user 0m43.133s sys 0m13.302s
And the command modify the package-lock.json:
diff --git a/app/package-lock.json b/app/package-lock.json
index b9136b5..8ce9c76 100644
--- a/app/package-lock.json
+++ b/app/package-lock.json
@@ -1283,7 +1283,7 @@
"integrity": "sha512-lepxk4ezkrpSkVTd8vA2H3HCvP7MVoeSCi6DwRntY5eyHThEKZJZXio0k+NfTBZ6IODB3Ipi6sGEKAWMKRieZA==",
"requires": {
"assign.js": "^2.8.11",
- "axios": "^0.19.2",
+ "axios": "0.23.0",
"form-data": "^3.0.0",
"isa.js": "^2.2.12",
"pino": "~6",
@@ -11310,4 +11310,4 @@
"integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A=="
}
}
-}
+}
\ No newline at end of fileAccording to the documentation, npm install uses package-lock.json too:
If the package has a package-lock, or an npm shrinkwrap file, or a yarn lock file, the installation of dependencies will be driven by that, respecting the following order of precedence:
- npm-shrinkwrap.json
- package-lock.json
- yarn.lock
Another point is that meteor npm install does not install the same number of packages:
root@e6522b6e68c0:~/laboite/app# time meteor npm install
> app@3.3.3 preinstall /root/laboite/app
> npx npm-force-resolutions
[…]
added 1261 packages from 1819 contributors and audited 829 packages in 66.272s
108 packages are looking for funding
run `npm fund` for details
found 3 moderate severity vulnerabilities
run `npm audit fix` to fix them, or `npm audit` for details
real 1m7.677s
user 1m0.313s
sys 0m12.131sBut the second run is much faster since node_modules is not removed:
root@e6522b6e68c0:~/laboite/app# time meteor npm install
> app@3.3.3 preinstall /root/laboite/app
> npx npm-force-resolutions
[…]
audited 829 packages in 16.04s
108 packages are looking for funding
run `npm fund` for details
found 3 moderate severity vulnerabilities
run `npm audit fix` to fix them, or `npm audit` for details
real 0m17.236s
user 0m11.942s
sys 0m1.259sAs a final note for this topic, the meteor npm ci command support the --production flag:
root@e6522b6e68c0:~/laboite/app# time meteor npm ci --production
> app@3.3.3 preinstall /root/laboite/app
> npx npm-force-resolutions
[…]
added 433 packages in 42.683s
real 0m43.442s
user 0m35.502s
sys 0m7.010sBut this does not install the same number of package as meteor npm install --production:
root@e6522b6e68c0:~/laboite/app# time meteor npm install --production
> app@3.3.3 preinstall /root/laboite/app
> npx npm-force-resolutions
[…]
added 976 packages from 1776 contributors and audited 829 packages in 56.852s
65 packages are looking for funding
run `npm fund` for details
found 3 moderate severity vulnerabilities
run `npm audit fix` to fix them, or `npm audit` for details
real 0m58.166s
user 0m53.192s
sys 0m8.811s| command | number of packages |
|---|---|
| meteor npm ci | 718 |
| meteor npm ci --production | 433 |
| meteor npm install | 1261 |
| meteor npm install --production | 976 |
package-lock.json vs npm-shrinkwrap.json
According to the documentation, package-lock.json should not be committed to source repository, this is the role of npm shrinkwrap.
npm vs yarn
It looks like yarn package manager could be used if it's installed globally but is it better than npm?
root@e6522b6e68c0:~/laboite/app# meteor npm install --global
root@e6522b6e68c0:~/laboite/app# meteor yarn install --production
yarn install v1.22.17
info No lockfile found.
$ npx npm-force-resolutions
npx: installed 6 in 1.839s
[…]
success Saved lockfile.
Done in 127.48s.