Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
NPM's official documentation says that package-lock.json should be part of the repository. Why? `package-lock.json` is basically a snapshot of the `node_modules/` directory. You can think of it like `node_modules.zip`, except more human-readable, and requires an internet connection to unzip. The main advantage of adding it to Git is that it lets you know exactly the state of `node_modules/` at the time the programmer commits it. So if a dependency breaks, it's easier to trace exactly when it broke. It also makes sure `node_modules/` is exactly the same between different development environments, so differences don't cause bugs to appear for some developers but not others. This comes with a number of disadvantages. The biggest one is that it causes package-lock changes to appear in random commits, which can outright lead to merge conflicts. Not to mention making diffs in general significantly less readable. And a lot of stated advantages aren't actually true (paraphrased): > If I install express ^4.15.4, and later express 4.15.5 is released, > a contributor would run `npm install` and gets 4.15.5, we would > have different versions. Like, this is intended behavior. If I didn't want that behavior, I'd specify the express version as 4.15.4 instead of ^4.15.4. We can still have the same version if we just re-run `npm install`, which we would STILL have to do if we were using a package-lock file. The package-lock file does not improve this situation. (A Dev poll showed that most devs were in support of this.)
- Loading branch information