Use yarn install with --prefer-offline and --pure-lockfile ? about yarnhook HOT 4 CLOSED

Both of these suggestions make a lot of sense to me, so thanks! 👍 I think I can do it this weekend or leave it to you if you'd rather do it.

I'd also appreciate investigating similar sane defaults for other supported package managers if you decide you wanna do it.

from yarnhook.

npm:
--prefer-offline (https://blog.npmjs.org/post/161081169345/v500)

A new --prefer-offline option will make npm skip any conditional requests (304 checks) for stale cache data, and only hit the network if something is missing from the cache.

--no-audit maybe ? https://docs.npmjs.com/cli/install

The --no-audit argument can be used to disable sending of audit reports to the configured registries. See npm-audit for details on what is sent.

There is no option for read-only the package-lock.json, except npm ci but not something I would use here

from yarnhook.

pnpm:
--prefer-offline https://pnpm.js.org/docs/en/pnpm-install.html#prefer-offline

If true, staleness checks for cached data will be bypassed, but missing data will be requested from the server.

--frozen-shrinkwrap

If true, pnpm doesn't generate a shrinkwrap file and fails if an update is needed.

--prefer-frozen-shrinkwrap

When true and the available shrinkwrap.yaml satisfies the package.json then a headless installation is performed. A headless installation is faster than a regular one because it skips dependencies resolution and peers resolution.

Unfortunately, there is no equivalent to pure-lockfile : either it fails (which I think is not a good thing for a hook) or it can be updated with prefer-frozen-shrinkwrap. I think prefer-frozen-shrinkwrap is better here ?

from yarnhook.

I think these options make more sense than the alternatives, and I agree that the package managers should offer more options. It may make sense to open issues to address these problems.

from yarnhook.