2

Let's consider npm 5.3.0+.

Imagine I've just created package.json in empty directory and run npm i. Then I've edited package versions in package.json. At this point, package.json is inconsistent with package-lock.json.

Question: what happens if I run npm i again? Which file would be the source of truth? In npm docs I've found only a vague statement "Whenever you run npm install, npm generates or updates your package lock".

Same question for yarn.

tk421
  • 5,775
  • 6
  • 23
  • 34
Dan
  • 55,715
  • 40
  • 116
  • 154
  • Well, that statements says it all; npm will either generate or update the lock file. It will do that based on the contents of the package.json file, since that's where it pulls the list of packages to update/generate into the lock file. – Heretic Monkey Jun 11 '18 at 16:27
  • @MikeMcCaughan same documentation says "If the package has a package-lock or shrinkwrap file, the installation of dependencies will be driven by that", which makes me wonder. Also: https://github.com/npm/npm/issues/16866 – Dan Jun 11 '18 at 16:43
  • These might be good things to add to your question so that others don't have to repeat the same research you've apparently already done... You may be interested in the answer to [npm - How to actually use package-lock.json for installing based on locked versions?](https://stackoverflow.com/q/47480617) and ["package-lock.json" role](https://stackoverflow.com/q/44297803) – Heretic Monkey Jun 11 '18 at 16:45

1 Answers1

0

I've got the similar problem while using yarn. Here are some ideas maybe helpful to you,

If yarn.lock is present and is enough to satisfy all the dependencies listed in package.json, the exact versions recorded in yarn.lock are installed, and yarn.lock will be unchanged. Yarn will not check for newer versions.

If yarn.lock is absent, or is not enough to satisfy all the dependencies listed in package.json (for example, if you manually add a dependency to package.json), Yarn looks for the newest versions available that satisfy the constraints in package.json. The results are written to yarn.lock.

https://classic.yarnpkg.com/en/docs/cli/install/

Which file would be the source of truth?

It depends on whether version of 3rd party package in yarn.lock satisfies package version's limitation in package.json. If it is, the yarn.lock file is "the source of truth"; otherwise, it should be package.json.

HuihuangZhang
  • 119
  • 1
  • 5