Reputation: 635
Configuring package-lock.json to be source of dependency truth
I had the exact same question as Do I need both package-lock.json and package.json? (tldr; "what's the difference between package.json and package-lock.json?") and found some really great answers in there. However it leaves me with a few other very similar-related questions that I don't see answered elsewhere.
For instance, what if package.json and package-lock.json conflict with one another? Say package.json says to use some-lib-2.* (any 2.x version of some-lib) but package-lock.json is configured to use some-lib-1.18.4? Is there an error? Is preference given to either file as the "source of dependency truth"?
I like the idea of one file to manage my specific dependencies, and so I feel like I'm leaning towards:
- Not specifying libraries or version in
package.jsonat all; and - Using
package-lock.jsonto specify the exact versions of each module/library my project uses
Is this possible to do? If so are there any special configurations that I need to make? Do I track both files in version control, or is there ever any reasons why I would not want to track these in git/VCS?
Upvotes: 0
Views: 1574
Answers (1)
Reputation: 635
- You use the the command line (
npm install [optional args]) to update both files - NPM -- and your command line invocation -- decide what the acceptable ranges of dependency versions there are for module and define those ranges in
package.json. It then picks a version within that range -- uses it for buildtime/runtime -- and writes that exact version inpackage-lock.json - So you want to place both files in version control so you have repeatable builds and any developers checking out your project will immediately be able to build the project with the same versions of the same dependencies
- And the only time you edit
package.jsondirectly is if you don't want to allow a range of versions for a particular dependency and want to cherry pick the exact version to use. You make the edit, you save, you runnpm install [options]andpackage-lock.jsonwill be updated to use that version as well
For what it's worth, this is terribly confusing and advocates the anti-pattern of not managing your dependencies. It allows developers to think its OK to just pull in the latest version of a given dependency, even if that version changes from build to build. That leads to bug creep in your application, non-repeatable builds and all sorts of headaches.
I would strongly advocate for always specifying the exact version you want for all your direct dependencies: no more ranges or wildcards please.
Upvotes: 2
Related Questions
- npm force package-lock to update a sub-dependency package
- Is there a way to force npm to generate package-lock.json?
- Package-lock.json - requires vs dependencies
- How do I update a single dependency in package-lock.json, without any side effects?
- how to get the dependencies of a project with a package-lock.json but no package.json?
- package-lock.json file, package with "optional": true
- NPM Lock down dependency versions in our dependencies package.json
- How do I npm update dependency versions in the package-lock.json?
- Update intermediary npm dependencies with package-lock.json
- NPM lockfiles do not handle transitive dependencies correctly