mops install in CI today auto-detects CI=1 and switches the default --lock from update to check, but silently skips integrity if mops.lock is missing. This is the opposite of what npm ci and cargo build --locked do — both fail loudly. A contributor who never commits mops.lock (or deletes it) gets a green CI build that resolves a fresh dependency graph, defeating the purpose of the lockfile.
Two related changes, ship together in the next major:
- Fail loudly when the lockfile is missing in strict mode — match
npm ci / cargo --locked.
- Drop the
CI env-var auto-detection. Replace it with an explicit user choice — either a --frozen / --locked flag (cargo style) or a separate mops ci subcommand (npm style). Env-var magic is fragile (e.g. direnv setting CI=1 locally silently changes mops behavior).
Breaking change — defer until the next major version bump.
mops installin CI today auto-detectsCI=1and switches the default--lockfromupdatetocheck, but silently skips integrity ifmops.lockis missing. This is the opposite of whatnpm ciandcargo build --lockeddo — both fail loudly. A contributor who never commitsmops.lock(or deletes it) gets a green CI build that resolves a fresh dependency graph, defeating the purpose of the lockfile.Two related changes, ship together in the next major:
npm ci/cargo --locked.CIenv-var auto-detection. Replace it with an explicit user choice — either a--frozen/--lockedflag (cargo style) or a separatemops cisubcommand (npm style). Env-var magic is fragile (e.g.direnvsettingCI=1locally silently changes mops behavior).Breaking change — defer until the next major version bump.