build: move to npm ci where possible

Trott · targos · commit 4c5fc5c7ce58 · 2018-07-20T18:38:29.000+02:00
Recent events (involving a maliciously published version of a popular module's dependency) have reinvigorated my interest in seeing us move to `npm ci` instead of `npm install`. This moves us to `npm ci` where possible in Makefile and vcbuild.bat. PR-URL: #21802 Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
diff --git a/Makefile b/Makefile
@@ -659,6 +659,7 @@ available-node = \
 	fi;
 
 run-npm-install = $(PWD)/$(NPM) install --production --no-package-lock
+run-npm-ci = $(PWD)/$(NPM) ci
 
 tools/doc/node_modules/js-yaml/package.json:
 	cd tools/doc && $(call available-node,$(run-npm-install))
@@ -1068,12 +1069,12 @@ lint-md-clean:
 
 tools/remark-cli/node_modules: tools/remark-cli/package.json
 	@echo "Markdown linter: installing remark-cli into tools/"
-	@cd tools/remark-cli && $(call available-node,$(run-npm-install))
+	@cd tools/remark-cli && $(call available-node,$(run-npm-ci))
 
 tools/remark-preset-lint-node/node_modules: \
 	tools/remark-preset-lint-node/package.json
 	@echo "Markdown linter: installing remark-preset-lint-node into tools/"
-	@cd tools/remark-preset-lint-node && $(call available-node,$(run-npm-install))
+	@cd tools/remark-preset-lint-node && $(call available-node,$(run-npm-ci))
 
 .PHONY: lint-md-build
 lint-md-build: tools/remark-cli/node_modules \
diff --git a/vcbuild.bat b/vcbuild.bat
@@ -614,12 +614,12 @@ if not defined lint_md_build goto lint-md
 SETLOCAL
 echo Markdown linter: installing remark-cli into tools\
 cd tools\remark-cli
-%npm_exe% install
+%npm_exe% ci
 cd ..\..
 if errorlevel 1 goto lint-md-build-failed
 echo Markdown linter: installing remark-preset-lint-node into tools\
 cd tools\remark-preset-lint-node
-%npm_exe% install
+%npm_exe% ci
 cd ..\..
 if errorlevel 1 goto lint-md-build-failed
 ENDLOCAL
