Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[npm] What should we do about lockfiles? #93

Closed
Flaque opened this issue Jul 12, 2017 · 6 comments
Closed

[npm] What should we do about lockfiles? #93

Flaque opened this issue Jul 12, 2017 · 6 comments

Comments

@Flaque
Copy link
Contributor

Flaque commented Jul 12, 2017

Right now it doesn't seem that there's any package-lock.json files in any of the packages. But the lerna exec npm install will create a lockfile in each package.

Npm claims that we should commit these. Is there any reason we haven't?

Could we either add them or add them to the .gitignore?
@andyfangdz
Copy link
Contributor

Whether lockfiles make sense for libraries is debatable, but npm seems pretty opinioned on this -- according to the manual they cannot be published. Therefore, we could safely ignore them.

https://github.com/npm/npm/blob/v5.0.0/doc/files/package-lock.json.md

One key detail about package-lock.json is that it cannot be published, and it will be ignored if found in any place other than the toplevel package. It shares a format with npm-shrinkwrap.json(5), which is essentially the same file, but allows publication. This is not recommended unless deploying a CLI tool or otherwise using the publication process for producing production packages.

@Flaque
Copy link
Contributor Author

Flaque commented Aug 11, 2017

Cool, do we want to add them to the git ignore then?

@andyfangdz
Copy link
Contributor

I'm cautiously positive that they can be ignored.

/cc @hshoff

@hshoff
Copy link
Member

hshoff commented Aug 16, 2017

@ljharb any thoughts on how libraries should treat package-lock.json?

@hshoff hshoff mentioned this issue Aug 16, 2017
Merged
@ljharb
Copy link

ljharb commented Aug 16, 2017

@hshoff Only apps should have lockfiles. Libs/packages should add package-lock=false to .npmrc, and gitignore package-lock.json, npm-shrinkwrap.json, and yarn.lock, full stop.

@hshoff
Copy link
Member

hshoff commented Aug 16, 2017

@ljharb makes sense thank you!

@hshoff hshoff mentioned this issue Aug 16, 2017
Merged
@hshoff hshoff closed this as completed in 77aea8d Aug 16, 2017
@Ffloriel Ffloriel mentioned this issue Apr 21, 2018
Closed
@snyk-bot snyk-bot mentioned this issue Jul 6, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ljharb @hshoff @andyfangdz @Flaque