DEV Community

Discussion on: Using npm's `ls` command for Fun and Insight

Collapse
bnb profile image
Tierney Cyren Author

This is assuming that a package-lock.json file exists. Some projects (like most of mine) opt out of this because it adds maintainer burden for no tangible benefit, at least in the case of modules. It's definitely recommended for applications, but since package-lock.json doesn't get published to the registry there's really very little point to keeping it around.

That said, as far as I know (and I could totally be wrong!) you can still have unmet dependencies that wouldn't be caught between package-lock.json and package.json.

Collapse
qm3ster profile image
Mihail Malo

shrinkwrap.json gets published :v

Thread Thread
bnb profile image
Tierney Cyren Author

Indeed it does, but it’s an antiquated approach that I try to keep out of my open-source packages.

IMO the cost of maintaining an npm-shrinkwrap.json is higher than writing high-quality code that will be resilient enough to handle dynamic dependency resolution.

If I am feeling especially picky about a certain module or set of modules, I’ll generally pin the versions in my projects’ package.json

Thread Thread
qm3ster profile image
Mihail Malo

It doesn't matter what kind of code you write if your dependencies introduce bugs or change published API with a patch version :D

Thread Thread
bnb profile image
Tierney Cyren Author

You could not include those dependencies 😂

Thread Thread
qm3ster profile image
Mihail Malo

Be serious 😂