Amphtml: Use one package manager, not two

See #11289 for a discussion + experiment on caching the results of npm install.

@danielrozenberg @choumx @erwinmombay Ever since we moved to package-lock.json, we're running into the case where some of our dependencies have different sets of sub-dependencies on linux and macos, due to which there's no stable state for package-lock.json. I wonder if there's a way to fix this, by always installing all optional dependencies, irrespective of the platform.

This is an issue on npm: https://github.com/npm/npm/issues/18135

I wonder if we should move back to using yarn until this is fixed.

Do we have to include the package-lock.json file? It's recommended practice but if it's buggy then the recommendation is moot. We can add it to .gitignore until npm/npm#18135 is fixed

It turns out that package-lock.json is ignored on Travis if there's a cached node_modules directory. So right now, we aren't actually using the lock file anywhere. See https://github.com/travis-ci/travis-ci/issues/7936

I like the idea of adding package-lock.json to .gitignore for now, since I'm not sure that it's doing anything for us. We could also delete it, but I may be missing something.

Remind me again, why are we using a lock file? :/

We can think of package-lock.json as "last known working state of the package dependencies"
(StackOverflow.) It's useful to have, but ideally package.json should always be able to generate functioning code

It also locks in the versions of unlisted packages (i.e., the packages that are implied via the dependencies of the packages that are declared explicitly) - again, for the purpose of locking in a last known good version

Because accidental breaking changes can slip into semantically versioned packages. That means new AMP contributors may get into a state where npm install doesn't work out of the box. This risk increases with the total number of dependencies, direct and indirect. More reading: https://yarnpkg.com/blog/2016/11/24/lockfiles-for-all/

Between the Travis and NPM issues you linked, maybe we should move back to yarn. 😄

For some context, the original FR from over a year ago: #2771

i would bring back yarn for security and other caches having deterministic builds (even more important than having working local builds for amp contributors)

Gotcha. I agree that moving back to yarn (lock file, caching, presubmit check to make sure lock file is updated, etc.) is the way to go for now.

I'm on it

For still more context, see https://github.com/npm/npm/issues/17722. I don't think there's a supported way to generate a steady-state version of package-lock.json from mac and linux.