NPM v5 supports shrinkwrapping dependencies
<http://blog.npmjs.org/post/161081169345/v500> via a "package-lock.json"
lockfile (example
<https://gerrit.wikimedia.org/r/#/c/403724/1/package-lock.json>). Should we
generally be committing these lockfiles or ignoring them in Wikimedia repos?
The downsides of lockfile usage that I'm aware of are:
1. No CI support yet. (CI simply ignores this file when installing
dependencies because it uses an older version of NPM.)
2. Platform differences can create different lockfiles for optional
dependencies but it's a known issue
<https://github.com/npm/npm/issues/17722>.
3. Developers must remember to use NPM v5 or greater when adding or
updating dependencies.
4. The format is a bit verbose.
The pros of lockfiles are:
1. Considered best practice and the default behavior of NPM.
2. The officially supported use case for reproducible builds.
The topic is tracked in T179229 <https://phabricator.wikimedia.org/T179229> but
there's lots of activity around lockfiles
<https://phabricator.wikimedia.org/search/query/NFhYM5EmMLlB/#R> outside of
it.
Stephen
Show replies by date