Demystifying the package-lock.json file — to commit or not commit?
--
TLDR;
We check the NPM package-lock.json file into our codebase because this is the industry standard as defined in the NPM docs.
Historically NPM package-lock file is the answer to yarns’ lock file and yarn recommended to check it in, so NPM adopted that recommendation.
What the package-lock.json file is
The package-lock file is a representation of the exact dependency tree installed at a certain point in time. It aids cross environmental collaboration, where everyone fetches dependencies from the same tree.
In addition, by committing the package-lock file, you can go back in history and replicate the exact dependency tree from that time.
In fact a monorepo is a repo with several package-lock.json files at different levels. Developers `cd` into those specific levels where each package-lock file applies.
Recommendations:
If you npm i & notice the “package-lock.json” file was updated, chances are you are on the wrong version of NodeJS (& subsequently npm). To fix it:
rm package-lock.json; rm -rf node_modules; nvm use <node version>; npm i
package-lock.json is one of those files, where if there are ever conflicts, just blow it away, because it gets generated automatically.
We want to avoid a situation where we’re always checking in a new package-lock file, but for versioned code repositories and any other lock files, this does not apply.
