Conversation
Since especially @krzkaczor had some arguments in favor of using lock files, I would very much like to have some discussion on this first. I also have to do some read up on this first, haven't formed an opinion yet. @whymarrh, could you give a short summary of your arguments or link to some argumentation you go along with? |
I'd be happy to. There are two types of projects in any lockfile discussion: applications and libraries. Applications are projects that aren't consumed by other applications, where libraries are projects intended to be consumed by applications. That is, someone does
Libraries, on the other hand, don't need to have lockfiles. Libraries are usually concerned about having a range of dependency versions that they'll work with to offer consuming applications some flexibility in their dependency resolution. One common, simple example is two dependencies: one that depends on Ultimately, the
From Understanding lock files in NPM 5 (ignore the first line, the article buries the lede), emphasis mine:
|
@whymarrh really nice writeup! I think we all agree that lockfiles are a good thing for applications, now the only question is: what about libraries. Here's what yarn team has to say about this: https://yarnpkg.com/blog/2016/11/24/lockfiles-for-all/ So basically, they argue that you should always commit lockfile, even for libraries because:
That being said I personally don't have strong opinion and I think since we maintain multiple smaller repositories, not having lockfiles can ease a pain of upgrading dependend projects. |
Ok, so let's stick to not using lock files for now. Have added a note on this on a new Node best practices section in the docs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good.
This PR adds the
package-lock.json
file to the Git ignore list.