The prepare step inadvertently triggers a full `npm install`

[Avaq]

Running npm version without --package-lock-only causes a full npm install to happen just to update the package lock file. In my CI, where the release script runs in an isolated container, this causes a cascade of problems:

1. npm version triggers npm install (causing 2000 packages to be downloaded unnecessarily)
2. npm install triggers npm prepare
3. npm prepare installs Husky hooks
4. git push triggers those Husky hooks to run my test suite (which takes 10+ minutes)
5. tests fail because the release-container is not set up for them
6. the semantic release has failed because the git push was prevented by Husky

I could solve some of the issues in any steps along the way, but the root of the problem lies in the npm install that gets executed by the semantic-release/npm prepare step.

All that's needed to fix it is the addition of the --package-lock-only flag in the npm version command:

npm/lib/prepare.js

Line 16 in 3e262c2

["version", version, "--userconfig", npmrc, "--no-git-tag-version", "--allow-same-version"],

[Avaq]

💭 It might be necessary to also add the --ignore-scripts flag for the Husky problem. But I'd understand if that's considered out of scope.

[travi]

1. npm version triggers npm install (causing 2000 packages to be downloaded unnecessarily)

why do you suggest this to be the case? the lifecycle docs for npm version highlight that this isnt the case

[Avaq]

Ah. While I verified it locally before opening this issue, maybe it's something in the way my project is set up. It's a monorepo using npm workspaces, the package lock being updated lives in the parent directory and locks the modules of multiple packages.

I'll try to make a minimal reproduction outside of my project.

[travi]

minimal reproduction

keep in mind that semantic-release does not officially support monorepos, so when coming up with a reproduction, please make sure you are able to reproduce the issue in the context of a package that is not part of a monorepo