NPM v5 supports shrinkwrapping dependencies http://blog.npmjs.org/post/161081169345/v500 via a "package-lock.json" lockfile (example https://gerrit.wikimedia.org/r/#/c/403724/1/package-lock.json). Should we generally be committing these lockfiles or ignoring them in Wikimedia repos?

The downsides of lockfile usage that I'm aware of are:

1. No CI support yet. (CI simply ignores this file when installing dependencies because it uses an older version of NPM.) 2. Platform differences can create different lockfiles for optional dependencies but it's a known issue https://github.com/npm/npm/issues/17722. 3. Developers must remember to use NPM v5 or greater when adding or updating dependencies. 4. The format is a bit verbose.

The pros of lockfiles are:

1. Considered best practice and the default behavior of NPM. 2. The officially supported use case for reproducible builds.

The topic is tracked in T179229 https://phabricator.wikimedia.org/T179229 but there's lots of activity around lockfiles https://phabricator.wikimedia.org/search/query/NFhYM5EmMLlB/#R outside of it.

Stephen