Should I commit yarn.lock and package-lock.json files?

Question

We\'re using yarn for all our deterministic pkg installations but don\'t prevent the user from using npm - I\'m guessing having both these files will cause issues however. S

Answer 1

I was thinking about the same question. Here are my thoughts, hope it helps :

The npm package-lock.json documentation says the following :

package-lock.json is automatically generated for any operations where npm modifies either the node_modules tree, or package.json. It describes the exact tree that was generated, such that subsequent installs are able to generate identical trees, regardless of intermediate dependency updates.

This is great because it prevents the "works on my machine" effect.

Without this file, if you npm install --save A, npm will add "A": "^1.2.3" to your package.json. When somebody else runs npm install on your project, it is possible that the version 1.2.4 of A has been released. Since it is the latest available version that satisfies the semver range specified in your package.json, it will install this version. But what if there's a new bug introduced in this version ? This person will have a problem that you can't reproduce because you have the previous version, without any bug.

By fixing the state of your node_modules directory, package-lock.json file prevents this problem because everybody will have the same versions of every packages.

But, what if you're writing and publishing a npm module ? The documentation says the following :

One key detail about package-lock.json is that it cannot be published, and it will be ignored if found in any place other than the toplevel package.

So, even if you commit it, when the user installs your module, he/she will not get the package-lock.json file, but only the package.json file. So npm will install the latest version that satisfies the semver ranges of all your dependencies. It means that you always want to test your module with theses verions of your dependencies, and not the one you installed when you started writing your module. So, in that case, package-lock.json is clearly useless. More, it can be annoying.