Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

investigate whether dropping package-lock.json is an option #3

Closed
jvoigtlaender opened this issue Sep 18, 2022 · 3 comments
Closed

investigate whether dropping package-lock.json is an option #3

jvoigtlaender opened this issue Sep 18, 2022 · 3 comments

Comments

@jvoigtlaender
Copy link
Member

The theory being that package.json is enough for the installers and CI (i.e., they will work out on their own which specific set of package versions to use).
@owestphal
Copy link
Member

From npm docs (highlighting added):

package-lock.json is automatically generated for any operations where npm modifies either the node_modules tree, or package.json. It describes the exact tree that was generated, such that subsequent installs are able to generate identical trees, regardless of intermediate dependency updates.

This file is intended to be committed into source repositories, and serves various purposes:

  • Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.
  • Provide a facility for users to "time-travel" to previous states of node_modules without having to commit the directory itself.
  • Facilitate greater visibility of tree changes through readable source control diffs.
  • Optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages.
  • As of npm v7, lockfiles include enough information to gain a complete picture of the package tree, reducing the need to read package.json files, and allowing for significant performance improvements.

So it is at least not wrong to track the lock file.

This thread suggests "Lockfiles for apps, but not for packages."

As far as I can see, the file is optional and whether or not we keep it is largely up to personal preference (assuming build speed and security are not our primary concerns).

@jvoigtlaender
Copy link
Member Author

What I can say is that it does not seem to have much of a "locking effect" on my system. If I check out the repo, then run npm install, the file package-lock.json looks completely different afterwards. I have not committed those changes so far, instead have always discarded them before a new pull. In any case, the content of the "lock file" does not seem to lock my local install into a particular set of dependencies. Is that the same at your end?

@jvoigtlaender
Copy link
Member Author

See d395a49.

Of course, it could just be a consequence of npm on my machine being too old. In fact, npm install outputs this message when I start it here:

npm WARN read-shrinkwrap This version of npm is compatible with lockfileVersion@1, but package-lock.json was generated for lockfileVersion@2. I'll try to do my best with it!

I have:

$ npm --version
6.14.15

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jvoigtlaender @owestphal