Nope, you need to run `npm ci` to guarantee that you don't write a new lockfile. | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		riking on April 1, 2022 \| parent \| context \| favorite \| on: How Go mitigates supply chain attacks Nope, you need to run `npm ci` to guarantee that you don't write a new lockfile.

hashhar on April 1, 2022 [–]

Also the lockfiles are not recursive. i.e. they don't apply to the dependencies you install or their transitive deps.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact