From 8a6367430fa2685aad4b1f6c06c4a651b7a3cd5c Mon Sep 17 00:00:00 2001 From: Praveen Singh Date: Sun, 22 Mar 2026 19:43:06 +0530 Subject: [PATCH] fix: use npm ci with package-lock.json in Dockerfile MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The runtime stage copies nemoclaw/package.json into /opt/nemoclaw/ but omits nemoclaw/package-lock.json, then runs 'npm install --omit=dev'. Without the lockfile npm resolves dependencies from the registry at build time. Two docker builds from the same Git commit can install different transitive dependency versions if any package is updated between runs — producing non-reproducible images. Fix: copy nemoclaw/package-lock.json alongside package.json and replace 'npm install' with 'npm ci'. npm ci reads the lockfile, installs exactly the pinned versions, and fails fast if package.json and package-lock.json drift out of sync. Signed-off-by: Praveen Singh --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 769614d1d..8d3c398fa 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,12 +24,12 @@ RUN pip3 install --break-system-packages pyyaml # Copy our plugin and blueprint into the sandbox COPY nemoclaw/dist/ /opt/nemoclaw/dist/ COPY nemoclaw/openclaw.plugin.json /opt/nemoclaw/ -COPY nemoclaw/package.json /opt/nemoclaw/ +COPY nemoclaw/package.json nemoclaw/package-lock.json /opt/nemoclaw/ COPY nemoclaw-blueprint/ /opt/nemoclaw-blueprint/ # Install runtime dependencies only (no devDependencies, no build step) WORKDIR /opt/nemoclaw -RUN npm install --omit=dev +RUN npm ci --omit=dev # Set up blueprint for local resolution RUN mkdir -p /sandbox/.nemoclaw/blueprints/0.1.0 \