Some comments suggested that the biggest advantage of package-lock.json is that it allows to replicate the development environment. I have already asked NPM to update the documentation, but it was archived without an action. package-lock.json should only by committed to source code version control for top-level projects (programs consumed by the end user, not other programs). It should instead explain that package-lock.json should only be committed to the source code version control when the project is not a dependency of other projects, i.e. ![]() The origin of this misuse is NPM documentation. what works for project maintainers/ CI systems might not work when the project is used as a dependency. Because package-lock.json cannot be added to NPM registry (by design see NPM shrinkwrap), projects that depend on a project that uses package-lock.json will themselves use package.json to resolve project's dependencies, i.e. Additionally, the diffs from these changes are human-readable and will inform you of any changes npm has made to your node_modules, so you can notice if any transitive dependencies were updated, hoisted, etc.Ĭommitting package-lock.json to the source code version control means that the project maintainers and CI systems will use a specific version of dependencies that may or may not match those defined in package.json. It is highly recommended you commit the generated package lock to source control: this will allow anyone else on your team, your deployments, your CI/continuous integration, and anyone else who runs npm install in your package source to get the exact same dependency tree that you were developing on. Official NPM documentation encourages to commit package-lock.json files to the source code version control: ![]() These PRs are closed without merging because dependency lock files are not designed to be used by packages that are themselves dependencies of other packages. I maintain over 200 repositories on GitHub and one of the most common PRs that I receive is someone adding package-lock.json or yarn.lock.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |