Misleading "PRO TIP" about missing "package-lock.json" (with npm-shrinkwrap.json) #852
Description
Problem Description
For our Node.js application, we always receive the following message:
-----> Creating runtime environment
PRO TIP: Warning: package-lock.json not found. The buildpack may reach out to the internet to download module updates, even if they are vendored.
Visit https://docs.cloudfoundry.org/buildpacks/node/index.html#offline_environmentsInterestingly, in the next step the logs indicate that a prebuild was succssfully detected:
Prebuild detected (node_modules already exists)
Rebuilding any native modules
rebuilt dependencies successfully
Installing any new modules (package.json + npm-shrinkwrap.json)We are using a npm-shrinkwrap.json instead of a package-lock.json. To my understanding, they should work the same for vendoring (also see https://stackoverflow.com/a/46132512).
Context
I checked the code that prints this message, and it seems to loop over two files package-lock.json and npm-shrinkwrap.json. The order of the files seems to be important for the following loop.
The loop goes over these files and if it does not find a file, it returns the "PRO TIP".
This does not make any sense for the npm-shrinkwrap.json (as the "PRO TIP" only mentions the package-lock.json).
And I also think it does not make sense to expect both the package-lock.json and npm-shrinkwrap.json (as they are basically the same file in different format).
Expected Behavior
I would expect that when you either have a package-lock.json or npm-shrinkwrap.json it does not show the "PRO TIP" and if none of these files are present the "PRO TIP" is shown and the message includes both options (either having a package-lock.json or npm-shrinkwrap.json).
Maybe, I am also missing something here (but I tried to look when/why the change was implemented and could not find anything that indicates the correctness of the current functionality).