1

This is similar to Do I commit the package-lock.json file created by npm 5? or Should package-lock.json also be published?

but for npm package. I was told that it's not recomended to commit this file to the repo (it's only recomended for applictions), but I can't find this information right now to confirm.

From the npm documentation:

One key detail about package-lock.json is that it cannot be published, and it will be ignored if found in any place other than the toplevel package

https://docs.npmjs.com/configuring-npm/package-lock-json.html

Does it mean that it shouldn't matter if I commit the file or not? I'm asking because github just found vulnerablity (again) in my repo (npm package) and it say that the vulnerablity is in package-lock.json (one was automaticaly fixed by dependecy bot - by PR). Does it mean that the npm package is also vulnerable or not if lock file is not in npm repository.

What are redomendaion about lock files for npm packages? Good reference website with this information will also be nice.

jcubic
  • 61,973
  • 54
  • 229
  • 402

1 Answers1

-1

It's useful to keep your package-lock in your repo because it will mean that whoever downloads the project and installs it will get exactly the same sub dependencies as you.

GitHub has become fussy about deprecated dependencies, which can be useful so you know without having to reinstall them to find out.

There can be cases when you download an old repo and you want the application to be as it was when it was last updated. If the package-lock isn't in the repo then it can be almost impossible to do that.

Often if a dependency has had a major update you'll have to change code in your project to keep up. The package-lock protects you from having to make a load of changes all at once for an old project with many deprecated dependencies.

cd3k
  • 719
  • 5
  • 8
  • 1
    It seems that what you've wrote is about applictions and not about npm package. – jcubic Mar 14 '20 at 10:06
  • It's less likely that you'll leave an npm package for as long as an application without keeping it up-to-date but I'd say the same rules apply. Say for example you make a package then come back to it and you want to update the whole thing piece by piece rather than totally rebuilding your codebase. It would be helpful to be able to update dependencies one at a time and make fixes accordingly rather than having everything update all at once. In general, it's better to have as little dependencies for an npm package as possible. – cd3k Mar 14 '20 at 15:16
  • Sorry I don't understand your point, you have package.json where you can have exact version or `^` or `~`. I don't see the reason to have lock file in npm package. So this don't really answer my question. You can do the same as you wrote in the comment with package.json. – jcubic Mar 14 '20 at 18:45
  • Your package.json file is for dependencies of your project. The package-lock.json file holds the specific versions of every dependency's dependency. Otherwise npm will just automatically install them, I think at the current version. The package-lock.json sort of freezes your project in time whereas just having the package.json alone doesn't. – cd3k Mar 15 '20 at 17:05
  • That's why I'm asking this, with pacakge-lock I keep getting vulnerablitites in my npm package, because even if minor version is changed it will not install that version. Everything what you said is related to application that need to freeze depencecies so you can clone repo and install it, with npm package most the users don't use git repo. – jcubic Mar 15 '20 at 17:27
  • Gihub won't stop you from installing the deps, it just notifies you that they're vulnerable. – cd3k Mar 15 '20 at 17:29
  • I'm asking about npm and package json lock not about GitHub, It's super obvious that no one can prevent from installing anything no github and no npm, what's the point? – jcubic Mar 15 '20 at 17:36
  • Ok your not talking about GitHub, I assumed you where referring to it's inbuilt notifications about deprecated deps. Most npm packages do have a GitHub repo, or at least all the ones I've seen do. I'm down voting this question because you've asked some general advice then decided to argue against that advice for no apparent reason. You don't have to take the advice, I'm just telling you some general things about npm that might help you make a decision. Do what you think is right for your project. – cd3k Mar 16 '20 at 12:14
  • Ok, I'm downvoting your answer because this is not answer to my question about npm package, it's general answer about web applications on GitHub. – jcubic Mar 16 '20 at 16:52