How to handle package-lock.json? #114
Comments
|
hapi is ignoring the new lock file https://github.com/hapijs/hapi/blob/master/.gitignore#L17 I think this is a good move, but there is a bug in npm5 around using Until most of the major issues in npm5 are addressed around the |
|
Thanks @geek! Is the plan to start committing it when the issues around npm5 are resolved, or we'll discuss that when the time comes? |
|
I am not sure what other people's plans are, but if having the lock file improves performance with cloning/installing the repo then I'd like to start committing it. |
|
Makes sense, thanks again 👍 |
|
You can also add |
|
I'm personally against so I'll keep ignoring it. |
|
i don't see it as any different than npm-shrinkwrap.json. we don't include it for libraries now (except for hapi itself) so why would we start? to prevent npm from creating the package-lock.json automatically, we can add a |
|
I'd recommend both - I believe only apps should have lock files, and you both want to prevent people from accidentally creating one and also from accidentally committing one. |
|
package-lock.json is different than a shrinkwrap because it does not ship with the npm package, and it is superseded by any shrinkwraps. Because hapi has a shrinkwrap, it will simply be ignored by npm anyway. |
|
It does indeed not make too much sense to have it for non-apps. |
|
So what's the conclusion on this? add it to .gitignore? add a repo specific .npmrc? I'm going to reopen the issue so we can get the best practice agreed u[pon and captured. Related, I scanned the contrib docs, and I don't see anything the captures our use of .npmignore .gitignore best practices. There's been various issues raised and resolved that we've all generally aligned on, but it doesn't seem those decisions made it into the docs? |
|
@csrl i'd suggest something like ljharb/qs@f0c1480 or tape-testing/tape@df48bfa |
|
.gitignore + local config based on your preferences. |
|
(if I'm understanding your comment) I don't think "preferences" should figure into it for individual developers; every user of the repo should be forced to use, or to not use, a given lockfile, for consistency. (Obv repo collab's preferences should decide what repo users do) |
|
Point is, never commit your lock file to git. If it is in the ignore file, it will never get committed. I don't care if you generate one locally or not. |
|
Create a file named
hope this helps |
Do note that this will not only disable the creation of package-lock, but it will also ignore the npm-shrinkwrap if present, so adding it into a global ( |
|
package-lock.json is supposed to facilitate flawless operation in webpage development and Mobile Apps especially where minor changes are made, like bug fixes, and point to major changes where there is a version upgrade....I think. Check this link on how to react a package.json file for subsequent version / iterations https://docs.npmjs.com/creating-a-package-json-file |
|
Lock file is useful for apps, never for libraries. |
|
Doesn't it have value for libs as well to speed up installs on CI using |
|
Why do installs need to be sped up on libs? What libs have a large enough dep tree that that makes a difference? and isn’t that really a problem with npm ci, not with not having a lockfile? |
|
@ljharb Good point. |
In npm5 the package-lock.json has been added.
When you
npm installthis file is created automatically, and when younpm version patchetc, this file is will be committed unless removed.Have we any stance on whether hapi ecosystem modules should add/ignore/remove these, considering maintainers will see this message:
Will these affect how shrinkwrap will work?
The text was updated successfully, but these errors were encountered: