-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should we remove the yarn.lock file? #53
Comments
I haven't chosen my side for the moment, but I haven't found any "famous" JS library that removes the |
I always followed the suggestions of the CLI team at npm https://docs.npmjs.com/cli/v6/configuring-npm/package-lock-json |
I asked Twitter, we'll see :D |
Yarn says the same as npm (Maël just point me there): https://yarnpkg.com/getting-started/qa#should-lockfiles-be-committed-to-the-repository |
So, we are entitle to a different opinion, but when the lead maintainer of yarn, and past lead maintainer of npm said we should, it kinda weight into the scale :D I hope that help this discussion... |
Thanks a lot @fharper but all those answers do not take into account that this project is a library and not a project. One person in your twitter feed mentionned that they digged into the subject Thanks to @dkundel article I think I understand exactly what the problem is. Let me try to explain by quoting a lot of passages of his article. Lock filesLock files contains the
Where we will install
Package.json
{
"dependencies": {
"twilio": "^3.30.3"
}
} This caret (
Why are lock files usefull ?Lock files are amazing for web application or projects where you want everything to work precisely as it works on your local environment. Since they both have the same lock file, every dependency and sub-dependency will have the same version on every environment you install that project. Why are lock files not usefull for libraries.Libraries are puched on As @dkundel explains
(Of course, this What are the benefits of not adding our lock filesWhenever a maintainer works on our library, when building the library it will install all dependencies on their latest versions (ex: Meaning that if we can not bundle the project by doing That way, if we regularly maintain this project we will be able to know whenever this library doesnt behave the way it should for all users that download this library from Check could also be automated as a CI by using What are the downsides of removing the yarn.lock of our library.As we ensure that we regularly check that everything is working the way it is supposed to for our users. We also remove the comfort of having the ConclusionBased on this information:
I think there are two possible good solutions. 1. Keep lock file and tests against tarballThis means that we keep the lock file for our maintainers comfort. But instead of testing the library that has be build using the lock file, we test the library that has been build without a lock file. That way we ensure also that our users will have a working version that outputs the same results as the version with lock file. And that there are no breaking changes in any of the dependencies and sub dependencies updates. 2. Remove the lock file.At the cost of maybe having sometimes unexpected results with devDependencies (which again should not be the case if our dependencies correctly uses semver), we ensure that our users always have a working library. |
yarn lock is kept until industry good practices are clearly in favor of removing it. |
Based on this article
By design yarn.lock and package-lock.json are not added to NPM (see npm shrinkwrap)
Thus keeping the yarn.lock file is useful for two reasons:
About the second reason, this is what the article says:
I also think that keeping yarn.lock file only for this use case is a lot of work. Updating minors using dependabot or asking contributors to manually rebase because of conflicts in yarn.lock is a pain.
On the other hand, having a failing development environment is not a pleasant experience for contributors. I would like your opinion on the matter.
This applies also to https://github.com/meilisearch/instant-meilisearch, https://github.com/meilisearch/docs-searchbar.js, https://github.com/meilisearch/vuepress-plugin-meilisearch
Vote
Keep yarn.lock 🎉
Remove yarn.lock 👍
The text was updated successfully, but these errors were encountered: