11

When I run "npm install" in a project it often modifies package-lock.json, for example if I work on the same project from another computer (with different node or npm version).

But at the same time the documentation suggests that the file is supposed to be added to version control (git in my case):

https://docs.npmjs.com/files/package-lock.json

This file is intended to be committed into source repositories, and serves various purposes: ...

So should I commit the changes made by npm back and forth when switching work machines or when somebody else does npm install? This would be a nightmare.

Currently I just discard any changes to package-lock.json made by npm, and it's been working fine. So I might as well add it to .gitignore...

Am I doing it wrong? Should I use npm ci instead? I wouldn't call my computer a "CI", it's just a development machine, why should I use it there?

Basically I have the same question as this gentleman:

https://github.com/npm/npm/issues/18103#issuecomment-370401935

(Sadly I can't add a comment on that issue or create a new issue at all, the npm repo has issues disabled)

szx
  • 6,433
  • 6
  • 46
  • 67
  • Possible duplicate of [Do I commit the package-lock.json file created by npm 5?](https://stackoverflow.com/questions/44206782/do-i-commit-the-package-lock-json-file-created-by-npm-5) – kaliatech Mar 11 '19 at 19:53
  • It's complicated. Officially package-lock.json is supposed to be committed, but a lot of people do not. To understand, you also need to read up on `npm shrinkwrap` and `npm ci`. See these related questions: https://stackoverflow.com/questions/52499617/what-is-the-difference-between-npm-install-and-npm-ci, https://stackoverflow.com/questions/44206782/do-i-commit-the-package-lock-json-file-created-by-npm-5. – kaliatech Mar 11 '19 at 19:58
  • Please, see [this answer](https://stackoverflow.com/a/64014814/10788155) – Ictus Aug 21 '22 at 10:47

1 Answers1

-2

Yes you want to commit your package-lock.json file to source control. The reasoning behind this is to ensure that all of the same versions of each package are downloaded and installed for each user that pulls down the code. There are some other reasons to include the file such as tracking changes to your package tree for auditing.

E McG
  • 279
  • 1
  • 8
  • 4
    Yes, I understand the purpose of a lock file, but in case of npm it actually installs *different* versions of packages than the ones in the lock file (and modified those versions while doing it) - this I don't understand – szx Oct 26 '18 at 14:22
  • As of NPM version 5.1.0 the package.json can trump the package-lock.json in terms of a higher dependent package version in the package.json. This can be solved by removing the tilde in the package versions in the lock file. – E McG Oct 26 '18 at 14:26