Build should error if package.json and package-lock.json are out of sync about npm-install HOT 3 CLOSED

I think a warning here is too subtle. Several users have already reported bugs that had this root issue. It gets reported as "the buildpack isn't updating my dependency" and then we discover that the package-lock.json was not updated. It causes confusion and results in invalid bug reports showing up here. I think it merits a build failure so that we can inform the user that their source is not validly configured.

from npm-install.

Would it be appropriate to just warn the user through build output that their app may be out of date. So we could take a checksum of package.json and if that changes between runs but we decide to reuse the layer we could print a message to the effect of The package.json has changed but node_module/npm-cache/package-lock.json has stayed the same this may result in unexpected behavior please regenerate those artifacts.?

from npm-install.

From what I can see of the npm-ci docs,

If dependencies in the package lock do not match those in package.json, npm ci will exit with an error, instead of updating the package lock.

So I think if the npm ci build process decided it should still run even if the package-lock.json is unchanged, we can get a nice error message for free. Unfortunately, with about a bit more logic, we lose the performance benefit of reusing a valid cached node_modules since

If a node_modules is already present, it will be automatically removed before npm ci begins its install.

from npm-install.