We've seen too many build failures for Ambari even when there are no source code changes due to dependent npm packages introducing breaking changes in newer versions. This happens because npm installs the latest version of the packages allowed by the specified version patterns in package.json. Even if we fix the versions in package.json, we are still vulnerable to this issue, because the dependent packages specified in package.json can bring in their own dependencies and thus bring in new versions of these packages that can have breaking changes.
To get around issue, we will integrate "yarn", an npm package dependency manager, to the mvn build process.
Executing "yarn" will automatically create a "yarn.lock" file so that all the packages that are installed, including recursive dependencies, will have the exact version on subsequent installs. Note that this "yarn.lock" file needs to be checked in to the repository so that installed versions are actually fixed. An additional benefit of using "yarn" is that it dramatically speeds up npm package installs: https://yarnpkg.com/lang/en/compare/
There's a similar dependency management tool called "npm-shrinkwrap". However, "yarn" seems superior in terms of install speed and also reproducibility of installed package versions: http://stackoverflow.com/questions/40057469/what-is-the-difference-between-yarn-lock-and-npm-shrinkwrap