2386

npm 5 was released today and one of the new features include deterministic installs with the creation of a package-lock.json file.

Is this file supposed to be kept in source control?

I'm assuming it's similar to yarn.lock and composer.lock, both of which are supposed to be kept in source control.

rink.attendant.6
  • 44,500
  • 61
  • 101
  • 156
  • 72
    Short answer: yes. One comment: when package-lock.json changes you can make a commit of just that change, separate from other source changes. This makes `git log` easier to deal with. – Purplejacket Aug 29 '17 at 23:07
  • 33
    A file can't help produce a deterministic install if it doesn't exist. – Alan H. Sep 30 '17 at 06:11
  • 9
    Depends on the project. https://github.com/npm/npm/issues/20603 – Gajus May 13 '18 at 01:21
  • 6
    If you really trust npm sure, the purpose is to more explicitly report what the project is using. If you really want predictability ignore this file and instead install your node_modules (see .npmrc and related config in the answers+comment) and use that to track what's actually changing rather than what your package manager states it's doing. Ultimately: wich is more important? Your package manager or the code you're using. – jimmont Nov 30 '18 at 18:15
  • 4
    Given the popularity of yarn, and its warning: `package-lock.json found. Your project contains lock files generated by tools other than Yarn. It is advised not to mix package managers in order to avoid resolution inconsistencies caused by unsynchronized lock files. To clear this warning, remove package-lock.json`, I think there should be some answers here clarifying when folks should *not* commit `package-lock.json`. – nealmcb Aug 05 '20 at 14:16
  • I notice package-lock is different on different platforms - "npm install" on mac creates a different lock file to linux. Is that a problem if I do dev on a mac, and have coworkers on linux? – russau Oct 07 '21 at 23:39
  • Why would anyone want to update project dependencies automatically? It should be a manual process with regression involved. In this case, neither `package-lock.json` nor `^`/`~` versions matter. – ivanjermakov Apr 15 '22 at 10:14

14 Answers14

2566

Yes, package-lock.json is intended to be checked into source control. If you're using npm 5+, you may see this notice on the command line: created a lockfile as package-lock.json. You should commit this file. According to npm help package-lock.json:

package-lock.json is automatically generated for any operations where npm modifies either the node_modules tree, or package.json. It describes the exact tree that was generated, such that subsequent installs are able to generate identical trees, regardless of intermediate dependency updates.

This file is intended to be committed into source repositories, and serves various purposes:

  • Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.

  • Provide a facility for users to "time-travel" to previous states of node_modules without having to commit the directory itself.

  • To facilitate greater visibility of tree changes through readable source control diffs.

  • And optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages.

One key detail about package-lock.json is that it cannot be published, and it will be ignored if found in any place other than the toplevel package. It shares a format with npm-shrinkwrap.json, which is essentially the same file, but allows publication. This is not recommended unless deploying a CLI tool or otherwise using the publication process for producing production packages.

If both package-lock.json and npm-shrinkwrap.json are present in the root of a package, package-lock.json will be completely ignored.

mojoaxel
  • 1,440
  • 1
  • 14
  • 19
vine77
  • 26,728
  • 1
  • 20
  • 12
  • 2
    Excellent find, thank you! I can't wait to try npm 5 for my projects in the upcoming week, have been reading great things about it. – rink.attendant.6 May 27 '17 at 02:00
  • 133
    In what kind of projects is it actually helpful to commit the file? The whole point of semver and package.json is that updated compatible dependencies shouldn't need to be noted. – curiousdannii May 27 '17 at 12:05
  • 77
    The key word is "shouldn't need to be" - but in practice people don't follow semver perfectly. That's why you can use package-lock.json and package.json together to make it easy to update packages but still making sure every developer and every deployed application is using the same dependency tree. – Panu Horsmalahti May 31 '17 at 08:51
  • 4
    But is it intended to be checked in to source control for top-level apps? Or also checked into source control for library packages? – trusktr Jun 17 '17 at 22:35
  • 45
    @trusktr: Sindre Sorhus [recommends using](https://twitter.com/sindresorhus/status/878240818363981827) "Lockfiles for apps, but not for packages." – vine77 Jun 23 '17 at 18:17
  • 38
    Another thing is, package-lock.json is ignored for publishing on NPM, so if a developer uses it for a library dev, then they are minimizing the chance that they will catch a regression from an updated dependency version, and therefore will pass that bug onto end users. For this reason, not using a lock file for library dev increases the chance of shipping less bugs. – trusktr Jul 19 '17 at 22:49
  • 3
    @trusktr I think we might want to consider adding the caveat about packages vs. apps to this answer -- what do you think? – mikermcneil Jul 27 '17 at 02:19
  • 3
    @BrianHaak that's a new question to ask, not a comment. Also, `npm link`. – trusktr Jul 27 '17 at 18:34
  • 4
    @mikermcneil It doesn't seem like the question of lockfiles for libraries has consensus. For instance, [James Kyle recommends](https://yarnpkg.com/blog/2016/11/24/lockfiles-for-all/) committing lockfiles for libraries/packages to make contributing easier. – vine77 Jul 27 '17 at 19:25
  • 192
    Personally I've now had to resort to adding `package-lock.json` to my `.gitignore`... it was causing me far more problems than solving them. It always conflicts when we merge or rebase, and when a merge results in a `package-lock.json` being corrupted on the CI server, it's just a pain to have to stay fixing it. – Stefan Z Camilleri Aug 13 '17 at 18:37
  • 20
    @StefanZCamilleri same here, not to mention that it had a tendency to occupy the first several screen-heights of any diff in code review tools. A massive pain in the arse for next to no benefit as far as I can see at the moment. – Vala Oct 18 '17 at 13:01
  • 3
    @Thor84no I have since switched to Yarn. Has a few minor non-blocking incompatibilities but it's terribly fast in comparison to npm – Stefan Z Camilleri Oct 19 '17 at 09:30
  • 19
    If I understand correctly what this all means... since the file is ignored when you publish your package... this 'reproducability' comes at a steep price. Namely... while I have something reprodicble for myself and my co-developers working from checked-out source. The people installing my publsihed package may get something completely different. So... basically me and my fellow developers may not be noticing if dependency changes are breaking stuff, but our users installing the published package will. – Kris Jan 31 '18 at 22:37
  • 4
    @vine77 Side question would be: "Should we flag it as binary in our `.gitattributes` so that changes are not looked at?" EDIT: Actually found part of the answer [HERE](https://github.com/yarnpkg/yarn/issues/1776#issuecomment-269539948) – Joel Bourbonnais Feb 06 '18 at 21:37
  • 4
    Some developers prefer not to commit lock files for their library packages, because they believe they can catch and fix issues with dependencies before users can. This is a flawed argument as pointed out in the post ["Lockfiles should be committed on all projects"](https://yarnpkg.com/blog/2016/11/24/lockfiles-for-all/). Not committing your lock file also makes it more difficult for new users to contribute to your library. – Dennis Feb 08 '18 at 01:31
  • 12
    I don't do it. I delete this file each time it's generated. If there's any problem, I delete the node_modules/ directory and run npm install again. I even change every version to * in the dependencies and devDependencies. My attitude is if there's problem, solve it. I'd rather use all latest version. Anything that is outdated makes me feel sick. –  Feb 27 '18 at 02:08
  • 2
    Yes, you can include it, but if resolved field is used, add relative URLs instead of referencing npmjs.org to support internal repositories behind a firewall. – bvamos Mar 09 '18 at 10:01
  • 2
    Every time I run a `npm install`. The value in `integrity` fields change even the version of the packages are the save. Any idea how does this happen? – FisNaN Apr 17 '18 at 01:28
  • 4
    @Dennis The reasoning in that Yarn blog post is very short sighted and should not be relied on. It only considers the case of a bug being introduced in a dependency, which will be fixed in an upcoming release without requiring changes in your library. Unfortunately in real life not all dependency problems are due to upstream bugs that go away on their own without any action required. – pfrenssen Jun 06 '18 at 15:52
  • 4
    I also gitignore this file because cloning a repo and running `npm install` on it immediately shows that there are changes in `package-lock.json` with `git status`. Even though nothing has changed in the file, I think it just _touches_ the file. I think having it in git just confuses developers. Also, it's a massive file, who's even going to go through to it "find bugs" in dependencies, good luck with that! – Miguel Reyes Feb 28 '19 at 20:58
  • 8
    @MiguelReyes Instead of using `npm install`, use `npm ci`. `npm ci` will never mutate the package-lock.json and throw an error if package.json and package-lock.json are out of sync. Then, you can have the package-lock.json in your repository and benefit from the safeguard of known-to-work dependencies without dealing with mutated lockfiles. – k0pernikus Jun 14 '19 at 08:51
  • 3
    If this file is autogenerated, they why should we commit it? Why can't npm generate it again according to my package.json. What a poor design! – Emdadul Sawon Nov 12 '19 at 04:17
  • 5
    @EmdadulSawon It's not a poor design. It's intended to lock-in a known-to-work state. Without it you may experience a breaking app due to a breaking dependency update. The content of the package-lock.json is depending on the time you run it, so generating it at different times will yield in different outputs (depends on the available versions of your dependencies). When developing an application you can never be sure if your app will work with future versions of your dependencies as even patch and minor version may break your app. Comitting the lockfile and using `npm ci` adds reliability. – k0pernikus Nov 28 '19 at 11:00
  • 8
    Why not just hardcode dependency version by getting rid of carets and tildes (^ and ~)? – reggaeguitar Mar 12 '20 at 16:01
  • 3
    I agree with this answer that it is "intended" to be checked in. However, another problem with checking it in is that it doesn't currently respect differences in platforms. So e.g., when my teammate checks it in as it is built on a Mac, it doesn't work properly for me on Windows. https://github.com/npm/cli/issues/558 and https://stackoverflow.com/questions/59685157/npm-ci-outputs-errors-with-angular-8-and-node-12-on-windows-node-gyp-rebuild – Marcus Apr 22 '20 at 23:00
  • 1
    Still not sure after viewing the comments. To conclude, please vote up if you work at **FANG companies** and usually keep this file. – Lynne Apr 20 '21 at 04:57
  • 1
    try finding out who introduced a regression in an enterprise application with a lot of ill maintained libraries if you don't have exact versions – fedeb Sep 23 '21 at 10:11
  • @reggaeguitar because they have a meaning, coming from semantic "versioning" https://semver.org/ – Carmine Tambascia Feb 07 '22 at 16:46
  • So why use npm ci vs npm i, well because npm ci "stick" with dependencies in ? 'package-lock.json' instead of trying to install lastest greatest version of a library that eventually is not yet been integrated in that specific codebase, so definitely more "secure" and is a shame as many devs with many years of experience don't know that, included myself till some time ago https://stackoverflow.com/questions/52499617/what-is-the-difference-between-npm-install-and-npm-ci – Carmine Tambascia Feb 07 '22 at 16:53
  • I'd like to know the meaning of`the toplevel package` – liuliang May 30 '22 at 11:15
376

Yes, you SHOULD:

  1. commit the package-lock.json.
  2. use npm ci instead of npm install when building your applications both on your CI and your local development machine

The npm ci workflow requires the existence of a package-lock.json.

A big downside of npm install command is its unexpected behavior that it may mutate the package-lock.json, whereas npm ci only uses the versions specified in the lockfile and produces an error

  • if the package-lock.json and package.json are out of sync
  • if a package-lock.json is missing.

Hence, running npm install locally, esp. in larger teams with multiple developers, may lead to lots of conflicts within the package-lock.json and developers to decide to completely delete the package-lock.json instead.

Yet there is a strong use-case for being able to trust that the project's dependencies resolve repeatably in a reliable way across different machines.

From a package-lock.json you get exactly that: a known-to-work state.

In the past, I had projects without package-lock.json / npm-shrinkwrap.json / yarn.lock files whose build would fail one day because a random dependency got a breaking update.

Those issue are hard to resolve as you sometimes have to guess what the last working version was.

If you want to add a new dependency, you still run npm install {dependency}. If you want to upgrade, use either npm update {dependency} or npm install ${dependendency}@{version} and commit the changed package-lock.json.

If an upgrade fails, you can revert to the last known working package-lock.json.

To quote npm doc:

It is highly recommended you commit the generated package lock to source control: this will allow anyone else on your team, your deployments, your CI/continuous integration, and anyone else who runs npm install in your package source to get the exact same dependency tree that you were developing on. Additionally, the diffs from these changes are human-readable and will inform you of any changes npm has made to your node_modules, so you can notice if any transitive dependencies were updated, hoisted, etc.

And in regards to the difference between npm ci vs npm install:

  • The project must have an existing package-lock.json or npm-shrinkwrap.json.
  • If dependencies in the package lock do not match those in package.json, npm ci will exit with an error, instead of updating the package lock.
  • npm ci can only install entire projects at a time: individual dependencies cannot be added with this command.
  • If a node_modules is already present, it will be automatically removed before npm ci begins its install.
  • It will never write to package.json or any of the package-locks: installs are essentially frozen.

Note: I posted a similar answer here

k0pernikus
  • 60,309
  • 67
  • 216
  • 347
  • 54
    This answer deserves more credit, especially using npm ci. Using this mitigates most of the issues people have experienced with package lock. – JamesB Jun 13 '19 at 21:42
  • 4
    I've found using fixed version in package.json (no caret or tilde) to be a much much cleaner option. This saves me from `whose build would fail one day because a random dependency got a breaking update` kind of issue. Though it leaves the possibility of child's dependency çausing the same issue. – Ashwani Agarwal May 29 '20 at 06:40
  • 2
    Is it still relevant that we should always use npm ci? From the docs it looks like this is incorrect. **npm install** "This command installs a package and any packages that it depends on. If the package has a package-lock, or an npm shrinkwrap file, or a yarn lock file, the installation of dependencies will be driven by that, respecting the following order of precedence:" **npm ci** "If a node_modules is already present, it will be automatically removed before npm ci begins its install." Certainly npm ci should be used as part of your CI/CD process, but seems excessive on dev machine?? – Thomas Apr 22 '21 at 15:22
  • 2
    Thank you so MUCH! i knew there had to be an "npm i" that was read-only style. IF according to the documentation the lock file is used to sync me up to whatever the previous change was, but "npm i" would always write to the package-lock.json and then what? it didnt' make sense for me (the one being synced) to now have changes to check in. I will try using "npm ci" from now on and see if the problems go away. – diox8tony Jul 12 '21 at 17:34
  • I am running into this. But I just needed to install a package based on a change that another developer pushed. The docs say you can't install an individual package with npm ci. If you use npm i somepackage@version it still dramatically changed my package-lock.json file. Now I don't know what to do. – MattoMK Feb 24 '22 at 19:43
  • @MattoMK Those changes are to be expected. Your somepackage has dependencies, and those have dependencies, so installing a a package in a specific version may lead to an larger changeset in the package-lock.json. What are you are trying to accomplish? – k0pernikus Feb 25 '22 at 04:27
  • 1
    This should be the accepted answer. Using `npm i` can cause `package-lock.json` to change every time a different developer runs it. Completely neutralizes the benefit of having it. – Samo Sep 19 '22 at 14:46
143

Yes, it's intended to be checked in. I want to suggest that it gets its own unique commit. We find that it adds a lot of noise to our diffs.

xer0x
  • 12,970
  • 5
  • 32
  • 29
  • 26
    it's fair to debate whether it should be checked into your source code repository, but publishing this file to npm is not really up for debate - you must include either your package-lock.json or your shrinkwrap file into your npm registry. if you do not, your published package will be subject to unpinned changes of dependencies of your 1st generation dependencies. you won't notice this to be a problem until one of those 2nd+ generation dependencies publishes a breaking change, and your published package becomes mysteriously broken. this package-lock.json file was created to solve that problem. – guerillapresident Sep 10 '17 at 15:16
  • Could you tell me more about this to me "lot of noise to our diffs"? I think I have the idea but I prefer to be sure. – Beto Aveiga Nov 10 '17 at 15:13
  • 12
    @BetoAveiga by noise I mean that the commits with package-lock.json can have so many lines of node package versions, that any other work in that commit becomes hidden. – xer0x Nov 25 '17 at 07:45
  • 9
    I usually keep package installations separate from other work. I never need to diff a commit like "Installed chai and mocha", because I already know what changed. – ki9 Dec 14 '17 at 17:45
  • 4
    Any advice regarding the ``package-lock.json`` file when working on a SCM system with trunks and branching? I'm making some changes on a branch that need to be merged to trunk... do I now have to (somehow) resolve conflicts between the two ``package-lock.json`` files? This feels painful. – kmiklas Jan 23 '18 at 21:35
  • 9
    @guerillapresident As I understand it, you're partially correct. Publishing this file to npm is not up for debate. You can't publish it. – Tim Gautier May 10 '18 at 15:03
  • 3
    @guerillapresident You cannot publish the package-lock.json file: https://docs.npmjs.com/files/package-lock.json – Don May 17 '18 at 15:32
  • @guerillapresident finally a proper explanation :) thank you so much. Regards. – Deunz Jun 25 '19 at 11:41
  • @guerillapresident what you said is completely wrong. You cannot publish `package-lock.json` because npm prevents it, so this is not the reason lockfiles were created. Second, incompatibilities should be expressed in package.json itself. – Matthias Apr 19 '23 at 19:51
121

Yes, the best practice is to check-in (YES, CHECK-IN)

I agree that it will cause a lot of noise or conflict when seeing the diff. But the benefits are:

  1. guarantee exact same version of every package between your dev and prod environments. This part is the most important when building in different environments at different times. You may use ^1.2.3 in your package.json, but how can you ensure each time npm install will pick up the same version in your dev machine and in the build server, especially those indirect dependency packages? Well, package-lock.json will ensure that. (With the help of npm ci which installs packages based on lock file)
  2. it improves the installation process.
  3. it helps with new audit feature npm audit fix.
Xin
  • 33,823
  • 14
  • 84
  • 85
  • 28
    +1 for mentioning `npm ci`. People frequently mention that a `package-lock.json` allows a deterministic installation of packages but almost never mention the command that facilitates this behavior! Many people probably incorrectly assume `npm install` installs exactly what's in the lock file... – ahaurat Feb 12 '19 at 00:18
  • npm ci isn't in npm 5. – dpurrington Apr 09 '19 at 00:03
  • 2
    Thank you! It only makes sense to commit package-lock.json if you are using `npm ci`. Your team/lead developer can decide when to update. If everyone is just arbitrarily committing it, there is no point to it, and it's just creating noise in your repo. [NPM documentation](https://docs.npmjs.com/files/package-lock.json) should make this more clear. I think most developers are just confused by this feature. – adampasz Aug 17 '19 at 15:52
  • @adampasz actually each dev can commit the lock file, and once pass the testing and merged, the second branch just renew the lock file if somehow the packages get changed (we do not change the package.json often, we less facing this issue( – Xin Aug 19 '19 at 03:25
  • 1
    @ahaurat Is your comment still relevant that we should always use npm ci? From the docs it looks like this is incorrect. **npm install** "This command installs a package and any packages that it depends on. If the package has a package-lock, or an npm shrinkwrap file, or a yarn lock file, the installation of dependencies will be driven by that, respecting the following order of precedence:" **npm ci** "If a node_modules is already present, it will be automatically removed before npm ci begins its install." Certainly npm ci should be used as part of your CI/CD process. – Thomas Apr 22 '21 at 15:14
  • My answer [here](https://stackoverflow.com/a/64014814/10788155) clarifies the differences and when to use `npm install` vs `npm ci`. – Ictus Aug 21 '22 at 10:40
57

I don't commit this file in my projects. What's the point ?

  1. It's generated
  2. It's the cause of a SHA1 code integrity err in gitlab with gitlab-ci.yml builds

Though it's true that I never use ^ in my package.json for libs because I had bad experiences with it.

[EDIT] This answer is outdated (2018) and to be fair it also lacks of knowledge. As of april 2023, my answer would be => OF COURSE YOU MUST COMMIT THIS FILE : For instance, standard install command on CI platforms would be npm ci need that file to work properly to ENSURE the dependencie tree is the exact same as commited;

Deunz
  • 1,776
  • 19
  • 32
  • 14
    I wish this could be expounded more from within npm docs - It would be useful to have an outline of what specifically you lose by not committing `package-lock.json`. Some repos may not require the benefits that come from having it, and may prefer to have no auto-generated content in source. – PotatoFarmer Oct 01 '18 at 22:32
  • 2
    I can see how it can be useful for debugging (a diff between two locks for example) to help resolve issues. I guess it can also be used to prevent these sort of things but it can also be a pain having it in a shared repo where it may experience merge conflicts due to it. For starters I want to keep things simple, I will just use package.json on its own until I see there is a real need for the package-lock.json. – radtek Mar 14 '19 at 17:18
  • 18
    You may not use ^ at your package.json, but you can be sure your dependencies don't use it? – neiker May 15 '19 at 18:25
  • 1
    Each time I'm updating a library the entire lock file is re-generated, using new dependencies, and causing nasty situations. Imagine yourself what will happen with my CI builds if this was not checked in, with all the limitations... the answer is CHAOS - unreliable builds. Sometimes I'm forced to override specific package versions in order to not crash my entire app. Please don't create a package with `^`, or `*` ([example](https://github.com/gruntjs/grunt-contrib-uglify/blob/main/package.json)), because it can create a lot of issues for the final consumer. – HellBaby Dec 22 '21 at 10:51
  • 1
    "What's the point" is an "argument from ignorance". "It's generated" is not a full argument. (Commit hashes are generated; should we stop using them too?). About the GitLab SHA1 error, this can be avoided by either fixing the setup or running `rm package-lock.json` at the start of the job. – Matthias Sep 07 '22 at 15:40
  • 1
    The point is that if you're using package A and this package relies on package B, and the package B gets a bad release that breaks your ci pipeline, then without package-lock.json you have no way of pinning down the version of package B to an earlier release. You are able to npm i manually on localhost, but not in ci. Your CI pipeline keeps failing and all you can do is revert master to an earlier commit, possibly losing some recently committed work, until package A locks in a good B release. That's what happened recently with eslint (A) and esquery (B). – user776686 Feb 17 '23 at 08:00
  • 2
    If package-lock.json is ignored in your project, it may cause issues such as version conflicts, unexpected package upgrades, or differences between the development environment and the production environment. – badr aldeen Apr 03 '23 at 15:03
  • 1
    Badr aldeen, it's true, when I wrote this answer 5 years ago i was lacking npm versioning knowledge. I though removing ^ and ~ version modifiers in my package.json would avoir such version conflicts. But of course dependencies could use such modifiers so this is a problem. This answer is a bad one, I know that for a fact – Deunz Apr 04 '23 at 08:21
52

To the people complaining about the noise when doing git diff:

git diff -- . ':(exclude)*package-lock.json' -- . ':(exclude)*yarn.lock'

What I did was use an alias:

alias gd="git diff --ignore-all-space --ignore-space-at-eol --ignore-space-change --ignore-blank-lines -- . ':(exclude)*package-lock.json' -- . ':(exclude)*yarn.lock'"

To ignore package-lock.json in diffs for the entire repository (everyone using it), you can add this to .gitattributes:

package-lock.json binary
yarn.lock binary

This will result in diffs that show "Binary files a/package-lock.json and b/package-lock.json differ whenever the package lock file was changed. Additionally, some Git services (notably GitLab, but not GitHub) will also exclude these files (no more 10k lines changed!) from the diffs when viewing online when doing this.

Raza
  • 3,147
  • 2
  • 31
  • 35
  • 2
    I have `gd() { git diff --color-words $1 $2 -- :!/yarn.lock :!/package-lock.json; }` in my .bashrc instead of an alias. – apostl3pol May 14 '19 at 21:47
  • Blindly committing could be dangerous: https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/ – Niels Bom Oct 18 '22 at 14:36
26

Yes, you can commit this file. From the npm's official docs:

package-lock.json is automatically generated for any operations where npm modifies either the node_modules tree, or package.json. It describes the exact tree that was generated, such that subsequent installs are able to generate identical trees, regardless of intermediate dependency updates.

This file is intended to be committed into source repositories[.]

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
Bablu Singh
  • 483
  • 4
  • 14
16

Yes, it's a standard practice to commit package-lock.json.

The main reason for committing package-lock.json is that everyone in the project is on the same package version.

Pros:

  • If you follow strict versioning and don't allow updating to major versions automatically to save yourself from backward-incompatible changes in third-party packages committing package-lock helps a lot.
  • If you update a particular package, it gets updated in package-lock.json and everyone using the repository gets updated to that particular version when they take the pull of your changes.

Cons:

  • It can make your pull requests look ugly :)

npm install won't make sure that everyone in the project is on the same package version. npm ci will help with this.

k0pernikus
  • 60,309
  • 67
  • 216
  • 347
Nikhil Mohadikar
  • 1,201
  • 15
  • 9
  • 8
    The cons would go away if you'd use `npm ci` instead of `npm install`. – k0pernikus Sep 06 '19 at 15:49
  • 2
    Scope creeping a little, but here's [more info on that excellent advice from @k0pernikus](https://stackoverflow.com/questions/52499617/what-is-the-difference-between-npm-install-and-npm-ci). – ruffin Dec 08 '19 at 21:13
  • 2
    "Everyone in the project will be on the same package version, all you have to do is npm install" Not true, you need to use "npm ci" instead – reggaeguitar Mar 12 '20 at 16:10
  • Thanks, @reggaeguitar. Updating my answer for this. – Nikhil Mohadikar Mar 17 '20 at 09:48
  • @reggaeguitar do you have a source? This is exactly what a lockfile does --- guarantee the exact installed versions. – Matthias Apr 19 '23 at 21:22
  • @Matthias can't remember where I read that, it's possible they've changed the behavior since then – reggaeguitar May 06 '23 at 06:18
13

Yes

The answer is yes, absolutely always commit your lockfile to git.

Analogy to git hashes

If you use git, you should use a lockfile because they serve the same purpose:

  • a git hash guarantees stability for the contents of files in a git repo.
  • a lockfile guarantees stability for the contents of node_modules.

Because...

  • files in a git repo may change over time, but a git hash refers to an exact snapshot of files.
  • npm packages in the npm registry may change over time, but a lockfile refers to an exact snapshot of dependencies.

From the package managers themselves

Package manager vendors clearly say you should commit the lockfile.

npm

It is highly recommended you commit the generated package lock to source control ...

https://docs.npmjs.com/cli/v6/configuring-npm/package-locks

When npm installs without a lockfile, it tells you clearly to commit the lockfile:

npm notice  created a lockfile as package-lock.json. You should commit this file.

yarn

Lockfiles should be committed on all projects

https://classic.yarnpkg.com/blog/2016/11/24/lockfiles-for-all/

pnpm

You should always commit the lockfile (pnpm-lock.yaml).

https://pnpm.io/git

Reasons

Consistency

A single commit should be the same forever, and its build output should not change over time.

From npm:

[a lockfile] will allow anyone else on your team, your deployments, your CI/continuous integration, and anyone else who runs npm install in your package source to get the exact same dependency tree that you were developing on.

From yarn:

If you don’t store which version you ended up installing, someone could be installing the same set of dependencies and end up with different versions depending on when they installed. This can lead to “Works On My Machine” problems and should be avoided.

Traceability of changes

When something changes, you want git to track that change.

From npm:

[with a lockfile] the diffs from [installation] changes are human-readable and will inform you of any changes npm has made to your node_modules, so you can notice if any transitive dependencies were updated, hoisted, etc.

Stability and security

Avoid introducing bugs and vulnerabilities.

From yarn:

Since package authors are people and they can make mistake, it’s possible for them to publish an accidental breaking change in a minor or patch version. If you install this breaking change when you don’t intend to it could have bad consequences like breaking your app in production.

If the package author is either malicious or is attacked by someone malicious and a bad version is published, you do not want that code to end up running without you knowing about it.

Common Objections

"There's no point"

This is an "Argument from Ignorance" which is a logical fallacy. In other words, "I don't know the reason, so there is none".

"It's generated"

If this file is autogenerated, they why should we commit it? Why can't npm generate it again according to my package.json.

from comment

Response: being generated is not a flaw. Git commit hashes are generated; should we not use git? The truth is that the lockfile is not deterministically generated from package.json, because it is susceptible to time and the state of packages in the npm registry. It is a snapshot, for stability.

"It causes merge conflicts"

It's a burden to resolve merge conflicts in checked-in lockfiles.

From npm:

As of npm@5.7.0, these conflicts can be resolved by manually fixing any package.json conflicts, and then running npm install [--package-lock-only] again.

From yarn:

when there’s a merge conflict in the lockfile, Yarn will automatically handle the conflict resolution for you upon running yarn install.

https://engineering.fb.com/2017/09/07/web/announcing-yarn-1-0/

From pnpm:

pnpm can automatically resolve merge conflicts in pnpm-lock.yaml. If you have conflicts, just run pnpm install and commit the changes.

So all package managers resolve lockfile merge conflicts automatically. This may not be the case in older versions, but it is the case now.

The only time this fails is if the package.json itself has conflicts, because you can't install from an invalid package.json. You must resolve those conflicts manually as you would have to do anyway.

"The merge conflicts interfere with PRs and MRs"

Using lock files greatly increases the chance that merging one PR will result in a second PR becoming conflicted with the base branch.

https://docs.renovatebot.com/noise-reduction/#lock-file-considerations

This is true. Git providers (GitHub, GitLab, etc) don't automatically resolve lockfile conflicts, so this may add a burden to merging. However when weighing this con, understand that lockfiles do not normally change; they only change when package.json deps change, or when a developer specifically changes the file or the installed node_modules deps.

"It makes diff noise"

If diff tools show lockfile diffs, it's a lot of noise.

This is true, however it's a tooling problem which many tools can handle gracefully (such as auto-minimizing, paging, or virtual scrolling). If you don't want to see the lockfile diff at all, try git diff -- . ':(exclude)yarn.lock', or alternatively mark the file as binary in .gitattributes (however you won't see its diff, if that matters to you).

"Exact versions are good enough"

Why not just hardcode dependency version by getting rid of carets and tildes (^ and ~)?

comment

The idea is that not using ranges in your package.json's dependency semver expressions accomplishes the same thing as having a lockfile.

This is false. Even if you specify exact versions, your dependencies have their own dependencies, which may use ranges for their versions, not exact versions. So this doesn't end up locking the whole dependency tree, only the top of it.

"Lockfiles for apps, no lockfiles for libraries"

Examples of this objection:

The sentiment is that libraries need to react to bleeding edge deps, and that not having lockfiles supports this.

From yarn:

Some have wondered why libraries should use lockfiles at all ... that using lockfiles when developing libraries creates a false sense of security since your users could be installing different versions than you.

This seems to logically makes sense, but let’s dive deeper into the problem.

The yarn article goes into depth to dispel this objection. Please read it.

A common error in this argument is the thought that if you don't commit the lockfile, it doesn't exist. In reality, it's still there on your machine, locking your dependencies. The situation is not improved by gitignoring the lockfile.

If a library maintainer wishes to continually test for compatibility, then they should delete their lockfile (whether the lockfile is checked in or not!) before installing and building their library. The only difference with a checked-in lockfile is that you have a persistent record of the state of node_modules when this happened, so it can be reproduced in the future.

There are bots like greenkeeper and renovate-bot for this. Greenkeeper advocates for checking in lockfiles (Greenkeeper and Lockfiles: A match made in heaven) and renovate-bot expresses no opinion but does commit lockfiles if present.

"Lockfiles are generated differently by different systems"

This is a claim mentioned (e.g. here): that different OSes generate different lockfile contents. If this is the case, this is a bug.

However it is possible that different versions of npm (or any package manager) may produce different lockfile output. I have not confirmed this, but hypothetically if so, it is a small price to pay for stability. To workaround this, contributors will need to switch their package manager version, by using a tool like nvm.

"Lockfiles can be a security risk"

See Snyk - Why npm lockfiles can be a security blindspot for injecting malicious modules

This is a real risk. A public project with a lockfile can receive a malicious PR with lockfile contents that could compromise a maintainer's machine once the branch is pulled and installed.

Defend against this with CI checks like lockfile-lint or simply npm ci or yarn --immutable (yarn --frozen-lockfile on Yarn 1), and perhaps setting ignore-scripts locally in your npmrc.

This risk is present whenever you install a package with untrusted code.

In Conclusion

Always commit the lockfile.

Matthias
  • 13,607
  • 9
  • 44
  • 60
8

Disable package-lock.json globally

type the following in your terminal:

npm config set package-lock false

this really work for me like magic

Balogun Ridwan Ridbay
  • 574
  • 4
  • 7
  • 2
    this creates `~/.npmrc` (at least on my macos) with content `package-lock=false` and the same can be done in any specific project alongside `node_modules/` (eg `echo 'package-lock=false' >> .npmrc` – jimmont Nov 30 '18 at 18:09
  • 9
    its sort of funny to me that this would be a negative. the npm community just can't accept that package-lock.json automatic generation was bad community involvement. you shouldn't do stuff that can impact a teams process. it should have been an option to enable, not forced. how many people just do "git add *" and not even notice it and screw up builds. If you have any kind of a merge based flow, I know git flow is like the bible to the people that use it, this won't work. you can't have generation on merge! npm versioning is broken, package : 1.0.0 should be deterministic! – Eric Twilegar Feb 05 '19 at 22:25
  • 3
    why is this down-voted? this is clearly a legit way of disabling a feature that does not work. And although it does not answer the question per se, it moots the question. i.e. it no longer needs answering. Thumbs up from me :) – Superole Feb 06 '19 at 16:34
  • 2
    The reason why it's getting downvoted is because you are simply disabling a feature. – Raza May 07 '19 at 17:22
  • 5
    This answer deserves to be downvoted because it *does not (attempt to) answer the question*. – Gershom Maes Feb 05 '21 at 17:05
  • Translation of this answer: don't commit package-lock (I guess) – Sahin Jun 27 '22 at 21:40
5

All answers say "YES" but that also depend of the project, the doc says:

One key detail about package-lock.json is that it cannot be published, and it will be ignored if found in any place other than the toplevel package.

This mean that you don't need to publish on npm your package-lock.json for dependency but you need to use package-lock.json in your repo to lock the version of your test dependency, build dependencies…

However, If your are using lerna for managing projects with multiple packages, you should put the package.json only on the root of your repo, not in each subpackage are created with npm init. You will get something like that :

.git
lerna.json
package.json
package-lock.json        <--- here
packages/a/package.json
packages/a/lib/index.js
packages/b/package.json
packages/b/lib/index.js
user2226755
  • 12,494
  • 5
  • 50
  • 73
1

Committing package-lock.json to the source code version control means that the project will use a specific version of dependencies that may or may not match those defined in package.json. while the dependency has a specific version without any Caret (^) and Tilde (~) as you can see, that's mean the dependency will not be updated to the most recent version. and npm install will pick up the same version as well as we need it for our current version of Angular.

Note : package-lock.json highly recommended to commit it IF I added any Caret (^) and Tilde (~) to the dependency to be updated during the CI.

MedElmaachi
  • 916
  • 7
  • 7
  • 1
    In addition to seeing whether _your_ dependencies' semver ranges have a range (`^` or `~`) instead of an exact version — think about whether your dependencies' dependencies (and so on) have ranges. They probably do. Npm looks at them all, not just the top level. So using exact versions in package.json **does not** accomplish the stability of a lockfile. – Matthias Sep 07 '22 at 15:44
0

TLTR

Commit on below situations.

  1. Commit if, adding new npm/yarn packages to project.
  2. Commit if, any change in package.json is updating .lock file.
  3. Commit if, any version changes in packages,nodejs, yarn is updating .lock file.

Do Not Commit on below situations.

  1. you did no coding & getting updated lock file it means other dev did not push lock file during above specified commit points

  2. you just took pull & getting updated lock file it means other dev did not push lock file during above specified commit points

  3. just did git clone & getting updated lock file it means other dev did not push lock file during above specified commit points

  4. you coded a feature and did nothing related to above specified commit points and still lock file is updating it means other dev did not push lock file during above specified commit points

Conclusion

Main goal of lock file is that all developers & all environments & all machines on which project is installed should have ULTRA ACCURATED libraries & versions

so basically, there are only 3 only situations for commit.

vijay
  • 10,276
  • 11
  • 64
  • 79
-1

My use of npm is to generate minified/uglified css/js and to generate the javascript needed in pages served by a django application. In my applications, Javascript runs on the page to create animations, some times perform ajax calls, work within a VUE framework and/or work with the css. If package-lock.json has some overriding control over what is in package.json, then it may be necessary that there is one version of this file. In my experience it either does not effect what is installed by npm install, or if it does, It has not to date adversely affected the applications I deploy to my knowledge. I don't use mongodb or other such applications that are traditionally thin client.

I remove package-lock.json from repo because npm install generates this file, and npm install is part of the deploy process on each server that runs the app. Version control of node and npm are done manually on each server, but I am careful that they are the same.

When npm install is run on the server, it changes package-lock.json, and if there are changes to a file that is recorded by the repo on the server, the next deploy WONT allow you to pull new changes from origin. That is you can't deploy because the pull will overwrite the changes that have been made to package-lock.json.

You can't even overwrite a locally generated package-lock.json with what is on the repo (reset hard origin master), as npm will complain when ever you issue a command if the package-lock.json does not reflect what is in node_modules due to npm install, thus breaking the deploy. Now if this indicates that slightly different versions have been installed in node_modules, once again that has never caused me problems.

If node_modules is not on your repo (and it should not be), then package-lock.json should be ignored.

If I am missing something, please correct me in the comments, but the point that versioning is taken from this file makes no sense. The file package.json has version numbers in it, and I assume this file is the one used to build packages when npm install occurs, as when I remove it, npm install complains as follows:

jason@localhost:introcart_wagtail$ rm package.json
jason@localhost:introcart_wagtail$ npm install
npm WARN saveError ENOENT: no such file or directory, open '/home/jason/webapps/introcart_devtools/introcart_wagtail/package.json'

and the build fails, however when installing node_modules or applying npm to build js/css, no complaint is made if I remove package-lock.json

jason@localhost:introcart_wagtail$ rm package-lock.json 
jason@localhost:introcart_wagtail$ npm run dev

> introcart@1.0.0 dev /home/jason/webapps/introcart_devtools/introcart_wagtail
> NODE_ENV=development webpack --progress --colors --watch --mode=development

 10% building 0/1 modules 1 active ...
MagicLAMP
  • 1,032
  • 11
  • 26
  • Just to add, I now have committed my package-lock.json to my repository, and am using npm ci on my ansible deploy, which I believe delete's node_modules, and installs everything in package-lock.json without updating it. This allows my front end guy to upgrade javascript stuff without need for manual intervention in deploy. – MagicLAMP May 06 '20 at 00:03