JavaScript Lockfiles
TL;DR: They're good! I'd love to use them unless there are compelling reasons not to.
Background
I've noticed that the vast majority of the SSBC JavaScript modules don't have lockfiles, and when PRs come along that add lockfiles I've seen people say "looks great, but can you remove the lockfile?". I've searched around and haven't really found a compelling reason not to use lockfiles, but the npm docs describes some pretty useful features of package-lock.json
for libraries:
- Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.
- Provide a facility for users to “time-travel” to previous states of node_modules without having to commit the directory itself.
- To facilitate greater visibility of tree changes through readable source control diffs.
- And optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages.
What about applications who always want lockfiles respected with npm install
? Run npm shrinkwrap
and you get the above, plus the npm-shrinkwrap.json
file gets published to npm. Are there any compelling reasons to avoid lockfiles? If not, I'd like to add lockfiles to our repos.
Libraries
Most of our modules are libraries, which work great with package-lock.json
. My plan is to iterate through all repos configured as package-lock=false
, remove that config, and add a lockfile.
Applications
When deploying npm modules with a CLI/TUI/GUI, I'd propose that we use npm-shrinkwrap.json
so that dependencies remain locked. Currently, I think that's just Scuttlebot (soon to be ssb-server), which would alleviate the need to maintain scuttlebot-release
.