[Discussion]: Remove package-lock.json

[quinnturner]

To reduce the number of packages for clients to download, we can remove the package-lock.json.

This does have security implications under-the-hood since the entire dependency tree is managed through package-lock.json for more consistent installations.

[G-Rath]

Personally I'm a fan of having the package-lock.json since it lets you install quickly using npm ci, and lets you audit the package.

It shouldn't result in anyone downloading any extra packages afaik?

[quinnturner]

Thank you for your input!

It could result in someone downloading extra versions of the same package. If in audit-ci's package.json there's a package with ^3.0.0 but has the package's version set to 3.0.0 in package-lock.json, then it will always download 3.0.0. If other transitive dependencies have 3.0.1 in their package-lock.json then yarn/npm will install both 3.0.0 and 3.0.1, which is probably unnecessary.

I am still leaning towards keeping the package-lock.json for the reasons you mentioned, but am still open to more discussion :)

[G-Rath]

That's true, but only for people checking out this repo, not when using the published package.

If other transitive dependencies have 3.0.1 in their package-lock.json

npm never uses the package-lock.json when installing into node_modules - it implicitly excludes the file when packing (even if you try to explicitly include it), and if you publish a package with it by say packing manually, npm will just ignore it at install time 🙂

In the situation you describe, both npm & yarn should remove the 3.0.0 package in favor of 3.0.1 if it satisfies the constraints of both consuming packages.

(This is the main area where npm & yarn differ in their locks: npm strives for the most accurate tree possible, whereas yarn aims for the most deduplicated, so in these situations yarn can result in slightly few packages as it'll choose to downgrade/not-upgrade instead of have two packages installed when adding a package to an existing tree)