Demystifying the package-lock.json file — to commit or not commit?
TLDR;
We check the NPM package-lock.json file into our codebase because this is the industry standard as defined in the NPM docs.
Historically NPM package-lock file is the answer to yarns’ lock file and yarn recommended to check it in, so NPM adopted that recommendation.
What the package-lock.json file is
The package-lock file is a representation of the exact dependency tree installed at a certain point in time. It aids cross environmental collaboration, where everyone fetches dependencies from the same tree.
In addition, by committing the package-lock file, you can go back in history and replicate the exact dependency tree from that time.
In fact a monorepo is a repo with several package-lock.json files at different levels. Developers `cd` into those specific levels where each package-lock file applies.
Recommendations:
If you npm i
& notice the “package-lock.json” file was updated, chances are you are on the wrong version of NodeJS (& subsequently npm)…