
Ask HN: Should you commit package-lock.json? - wawhal
Hello HN,<p>We are trying to decide if we should commit package-lock to version control for our JavaScript project.<p>It is generally considered a good practice to commit package-lock to version control to avoid breaking anything due to the dependency updates and thus we have been committing it till now.<p>However, we are facing some problems. Everytime we run `npm install`, package-lock is overwritten whenever a new version is detected from `^` in package.json. This causes a lot of merge conflicts which are impractical to merge in the long run.<p>We were thinking of freezing the dependency versions in `package.json` itself and update them only when we really need to update them. In this way, we do not need to maintain package-lock. But this does not let us auto update the deps with incremental bug fixes that are released in the minor versions.<p>What do you people think?
======
xyzzy123
For an application, yes, commit the lock file. TL:DR; use “npm ci”, not “npm
i”.

This has several benefits; a) You know if a test fails, you broke something.
Not a bug caused by dep shift. b) Your team is using same versions of deps
during dev (reduces “works on my computer” moments) c) Your builds are more
reproducible. You can be more confident that you can exactly build say, last
month’s version of the app and have it work the same way it did back then.

Re: the noise problem, recommend using “npm ci” as the default and “npm i”
only where you’re planning to update deps. This is less work than “freezing”
stuff in package.json and also addresses the problem of transitive deps (the
deps if your deps, which you would not really want to put in package.json
anyway).

Use npm audit to detect stuff that _needs_ updating and treat periodic dep
updates as a janitorial task. When you do updates, make a PR with just the dep
updates (plus any changes needed for them to work) and make sure all the tests
pass. You can mostly automate this.

As a side note, the docs explicitly call out that the file is intended to be
committed: [https://docs.npmjs.com/files/package-
lock.json](https://docs.npmjs.com/files/package-lock.json)

------
quantummkv
Have you looked at yarn? From my experience yarn does not change its lock file
unless you explicitly change your dependencies.

