2

Is there any way to control what version of dependencies (and transient dependencies) are installed when deploying a cloud function?

Since the cloud function runtime uses node v6.11.5, I assume it is using npm v3.10.10 distributed with that version of node. This version of npm does not support package.lock (added in npm v5.0.0).

I set all versions to fixed versions (removing the ^) in my package.json and added save-exact=true to my .npmrc file, but this will only control direct dependencies. Transient dependencies are not locked in this manner.

Is there any way to control all installed dependency versions in cloud functions? Is npm shrinkwrap.json honored?

codyzu
  • 541
  • 3
  • 18

2 Answers2

1

I posted a question in the Cloud Functions Beta Testers group and they confirmed that the npm-shrinkwrap.json is not honored when deploying to Cloud Functions.

Response from the Product Manager:

Currently, we don't support the npm-shrinkwrap.json file. We're looking at making some improvements to dependency management as we think about our runtime strategy, and this is a suggestion that we'll definitely consider.

As they recommended, I created an issue on their public issue tracker. Add your support to that issue (by starring it) if this is something you want too!

As a senior node.js developer, having a means to have reproducible installations is essential to delivering production worthy code.

codyzu
  • 541
  • 3
  • 18
0

npm-shrinkwrap.json and package-lock.json behave differently only from the point of view of an NPM package author/mantainer

package-lock.json won't be published to the NPM registry (but it will stay with the source code) and guarantee that any author/mantainer of the project will get the same dependencies.

npm-shrinkwrap.json is instead meant to be published to the NPM registry and guarantee that not only authors/mantainers but also the users who install the package get the same dependencies.

Since your project is not related with authoring an NPM package, you can rely on npm-shrinkwrap.json to have a reproducible dependency tree using any NPM version.

Andrea Carraro
  • 9,731
  • 5
  • 33
  • 57
  • Thanks for your answer! Do you know if Google Cloud Functions respects npm-shrinkwrap.json (they use an old version of node, so I'm confident the package-lock.json will be ignored). – codyzu Feb 19 '18 at 09:38
  • npm@3.x supports `npm-shrinkwrap.json`. – Andrea Carraro Feb 19 '18 at 12:49
  • yes, I agree... it _should_ work. My question was looking for confirmation from Google that cloud functions are simply `npm install`ed. It's not documented anywhere that I can find :-( – codyzu Feb 19 '18 at 15:54