Should I commit the yarn.lock file and what is it for?

Question

Yarn creates a yarn.lock file after you perform a yarn install.

Should this be committed to the repository or ignored? What is it for?

Answer 1

Yes! yarn.lock must be checked in so any developer who installs the dependencies get the exact same output! With npm [that was available in Oct 2016], for instance, you can have a patch version (say 1.2.0) installed locally while a new developer running a fresh install might get a different version (1.2.1).

Answer 2

I'd guess yes, since Yarn versions its own yarn.lock file: https://github.com/yarnpkg/yarn

It's used for deterministic package dependency resolution.

Answer 3

Not to play the devil's advocate, but I have slowly (over the years) come around to the idea that you should NOT commit the lock files.

I know every bit of documentation they have says that you should. But what good can it possibly do?! And the downsides far outweigh the benefits, in my opinion.

Basically, I have spent countless hours debugging issues that have eventually been solved by deleting lock files. For example, the lock files can contain information about which package registry to use, and in an enterprise environment where different users access different registries, it's a recipe for disaster.

Additionally, the lock files can really mess up your dependency tree. Because yarn and npm create a complex tree and keep external modules of different versions in different places (e.g. in the node_modules folder within a module in the top node_modules folder of your app), if you update dependencies frequently, it can create a real mess. Again, I have spent tons of time trying to figure out what an old version of a module was still being used in a dependency wherein the module version had been updated, only to find that deleting the lock file and the node_modules folder solved all the hard-to-diagnose problems.

I even have shell aliases now that delete the lock files (and sometimes node_modules folders as well!) before running yarn or npm.

Just the other side of the coin, I guess, but blindly following this dogma can cost you........