non repeatable builds where node is used

[jtnord]

Jenkins and plugins versions report

Environment

Paste the output here

What Operating System are you using (both controller, and any agents involved in the problem)?

N/A

Reproduction steps

1. clone a project that is using some node modules as part of its builds
2. build the project (inspect the package-lock.json file and archive it
3. wait an amount of time for newer packages to be available
4. clean the project (git clean -fdx)
5. build the project
   6 compare the 2 package-lock.json files

Expected Results

they are identical, any build can be cloned from SCM and the rebuilt by using defined versions of dependencies

Actual Results

there are changes. builds in CI and locally use the latest that they resolve

Anything else?

the build is using npm install and not npm ci

the pom should be configured to use npm ci by default and if/when things are updated a developer should run npm install locally and then commit the changes to the package-lock.json

see jenkinsci/bom#2121 (comment) and jenkinsci/bootstrap5-api-plugin#220

[timja]

wow, pretty awful imo, yarn is more sensible in that regard.

I think the pom should be configured to use npm install by default and if the environment value CI is set then it should run npm ci.

Otherwise every mvn install will just wipe node modules which could have horrific performance impacts, (especially for people on windows where npm is slower)

but that may not work with people who do local releases.