Managing private NPM packages and CI/CD

configuration-managementcontinuous integrationdockernode.jsnpm

At work, we have an application that is run directly on dev machines, but deployed in Docker swarms (a QA swarm and production swarm). The code and CI/CD pipelines are all in GitLab CE.

It uses several private, internal NPM packages. We refer to these packages in the package.json like so:

"@project/utils": "git@gitlab.com:project/utils.git#branch"

This gives us a few problems:

When developing locally on a feature branch, you have to manually edit the package.json but not check it in, and append the feature branch to the dependency URL.
Since it's a git URL, Yarn/NPM will not check and get the latest code (even if the package.json version is incremented). You have to delete the dependency from the node_modules and delete (or edit) the yarn.lock/package-lock.json file (though I believe yarn upgrade does now upgrade git packages). We do have scripts to do this but, ew.
We have scripts in our CI/CD pipelines that have to "fix" the branches in the package.json for internal dependencies. This increases build time considerably, and makes it quite fragile. Basically:
1. yarn install --frozen-lockfile
2. ./fixInternalPrivatePackages.sh package.json $BRANCH #where $branch can be #qa, feature-blah, etc.
3. yarn install #to now get any changed dependencies, sometimes modifies other unrelated deps in the lockfile
4. yarn run build

And then it's pushed to a Docker registry.

With this setup the lockfile sometimes gets modified, causing builds to fail. It's also a pain to manage on dev machines. Devs sometimes check-in their package.json with the wrong #branch, and this causes other people's builds to fail.

Possible solutions:

Automate tagging internal dependencies, then adjust the package.json with these tags (could really just be the commit hash).
Private package repository. This fixes the problem with getting the latest version if the latest is always pushed. I believe this should fix the fixInternalPrivatePackages hacky script situation as well.
Git/NPM pre/post hooks/scripts to fix a project's own package.json (remove all branches, etc.)

But all these solutions just seem more like band-aids on a fundamental problem. Are we doing this the right way? Are there any example projects with internal dependencies like this that I could get some inspiration from?

I feel like one fundamental issue is that the internal dependencies need their own independent QA->Prod cycle, so that they are already locked to a specific version before the rest of the app is moved along from QA->prod.

Another problem is that while yarn and npm now have lockfiles (we don't talk about the time before lockfiles), our workflow breaks this functionality when it has to modify the package.json to switch branches, and reinstall dependencies without the --frozen-lockfile switch. We want reproducible builds, and I can't guarantee that we have them.

It takes a long time to get a developer up to speed on our project because of all these configuration management issues. The actual code itself is much simpler than the code that requires DevOps knowledge to get it running.

Best Answer

Well, I stumbled on Lerna from a post from Hacker News and it appears to be just what we need. I will accept if it works out but it's going to be a while.

Splitting up large codebases into separate independently versioned packages is extremely useful for code sharing. However, making changes across many repositories is messy and difficult to track, and testing across repositories gets complicated really fast.

To solve these (and many other) problems, some projects will organize their codebases into multi-package repositories. Projects like Babel, React, Angular, Ember, Meteor, Jest, and many others develop all of their packages within a single repository.

Lerna is a tool that optimizes the workflow around managing multi-package repositories with git and npm.

I'm also removing the fixInternalPrivatePackages.sh CI step and just checking in the branched project's package.json as it should be. This will require manual steps if a new branch is added to a dependency but that happens less often than problems from the CI script.

UPDATE Sept 2018:

Lerna is nice but won't help our CI workflow. It's more for dev workstations. We really need a private package repository to keep published versions. QA and feature branches can use latest tags, where production can use our semver-ish tags.

I discovered Verdaccio, and I'm hoping it will resolve our dependency hell.

UPDATE Dec 2018:

The React project itself seems well organized and a good project to imitate. Using yarn workspaces seems like a good idea -- but it would take time to convert everything to a monorepo.

Related Solutions

Best practices for adding Node.JS build features to a non-Node project

Having both share the same root is fine. Apache Freemarker Docgen uses this structure. Invoking the JavaScript build from within the Java build is the standard. Running npm install can be decided programmatically by the Java build. For example, in Maven:

<plugin>
    <groupId>com.github.eirslett</groupId>
    <artifactId>frontend-maven-plugin</artifactId>
    <version>0.0.27</version>

    <executions>

      <execution>
        <id>install node and npm</id>
        <goals>
          <goal>install-node-and-npm</goal>
        </goals>
        <configuration>
          <nodeVersion>v4.2.1</nodeVersion>
          <npmVersion>3.5.3</npmVersion>
        </configuration>
      </execution>

      <execution>
        <id>npm install</id>
        <goals>
          <goal>npm</goal>
        </goals>
        <configuration>
          <arguments>install</arguments>
        </configuration>
      </execution>

      <execution>
        <id>npm run build</id>
        <goals>
          <goal>npm</goal>
        </goals>
        <configuration>
          <arguments>run build</arguments>
        </configuration>
      </execution>

    </executions>
</plugin>

References

What version numbers should I assign to builds on different branches as part of continuous integration for NET Core-based projects

You need to better understand the specific requirements you have from versioning.

Most of my cases are end user applications. In this scenario a single version number is sufficient, all I require from the version is to match it to a commit ID.

Other, less frequent, cases are libraries. In this case there is an additional requirement to match to an API version. v123.2 and v124.1 refers to API versions 124 and 123, while 1 and 2 refers to a sequential patch number (it might refer to some bug corrected in both API versions).

This a summary of my requirements. You need to understand yours and be aware to not fall to a situation where mantaining version numbers hinders development, that is not the point. Latelly I've been using a build process to inject the actual commit id, but not sure if I like it that much.