Best practice 'package-lock.json' for modules

KristjanESPERANTO

What is the best approach with the package-lock.json for modules?

The most common approach I see is that the package-lock.json is included in the repository and npm install is listed in the installation instructions. This has the disadvantage that the package-lock.json is sometimes changed during the installation and the user then has later problems doing a normal git pull to update the module.

I see two approaches that prevent this problem and wanted to know if you know of any others and what advantages or disadvantages you see in these approaches.

Remove package-lock.json from the repository (by adding it to .gitignore).
Use npm ci instead of npm install.

sdetweil

@KristjanESPERANTO well, the intent is to insure a particular library set. it works great on limited test environments.

like our automated tests.

it does not work in real life on all the platforms we run on

that is why my upgrade script will erase it before upgrading the code to prevent the changed file error.

but you can’t have it IN the repo for test,
and
NOT have it after git clone

npm ci doesn’t help

KristjanESPERANTO

Why npm ci doesn’t help? It doesn’t change the package-lock.json.

sdetweil

@KristjanESPERANTO but something else will over the months. and we have to retrain all our users.

KristjanESPERANTO

but something else will over the months.

“something else” will change the package-lock.json? How can that happen?

and we have to retrain all our users.

This is certainly a considerable disadvantage compared to approach 1.

sdetweil

@KristjanESPERANTO said in Best practice 'package-lock.json' for modules:

“something else” will change the package-lock.json? How can that happen?

someone will forget to be in the modules folder and poof it happens at the root…

Jalibu

It is generally recommended best practice to check-in the package-lock.json for node modules.
However, I in our case of MM-Modules the disadvantages clearly outweigh the expected advantages in my opinion.

In my modules, it is therefore part of .gitignore

KristjanESPERANTO

@Jalibu I just wanted to point you to this conversation. Thanks for your feedback! :-)

I’m thinking about adding a check for it to my project.

mumblebaj

My 2 cents worth.

@Jalibu I agree with your view.

It is highly recommended you commit the generated package lock to source control: this will allow anyone else on your team, your deployments, your CI/continuous integration, and anyone else who runs npm install in your package source to get the exact same dependency tree that you were developing on.

See npm documentation

@KristjanESPERANTO Personally I always add it to .gitignore along with node_modules folder.

sdetweil

@mumblebaj right it’s good for teams and automated test. but not here.

os at different levels, architectures, node levels.

I test on Jetson nano, odroid the entire pi family, amd64, arm64, lots of different Linux OS es, virtual machines on amd and arm

package-lock is useless and an inhibitor.

modules should NEVER ship it.