DEV Community

Cover image for 📦 The Ultimate Guide to package.json, package-lock.json, .yarnrc, babel.config, tsconfig.json & More
Fazal Mansuri
Fazal Mansuri

Posted on

📦 The Ultimate Guide to package.json, package-lock.json, .yarnrc, babel.config, tsconfig.json & More

Most developers use these config files daily — but few truly understand how they work, why they matter, and how small mistakes can break a project or waste hours of debugging time.

This post goes beyond definitions: we’ll explore how these files work, why they matter, best practices, and common real-world mistakes to avoid.


1️⃣ package.json

  • What it is:
    The heart of any Node.js or React project.
    It lists the project’s metadata, dependencies, scripts and configuration.

  • How it works:
    Acts as the project manifest — when you run npm install, it reads the dependencies and installs them.

  • Important things to remember:

    • Keep dependencies (dependencies) and dev tools (devDependencies) separate.
    • Always update versions carefully — check changelogs when upgrading.

👉 Quick Difference:dependencies are needed to run the application in production, while devDependencies are only needed for development, testing and build processes.

  • Best practices:

    • Define clear scripts (e.g., npm run test, npm run lint) to standardize tasks for all developers.
    • Use semantic versioning (^, ~, exact versions) wisely. The versioning symbols define the range of versions allowed, and npm/yarn automatically picks the newest allowed version (unless restricted by the lockfile).
  • Real-world tip:

    Messy or outdated package.json often causes “it works on my machine” issues, especially in CI/CD. Always commit updated files!


2️⃣ package-lock.json / yarn.lock

  • How they work:
    Record exact package versions (including nested dependencies) used at install time.

  • Why they matter in CI/CD:
    Without lock files, your CI pipeline might install newer versions of packages than local dev, causing unpredictable failures.

  • Best practices:

    • Always commit lock files to version control.
    • Never manually edit lock files.
    • Avoid deleting lock files just to “fix” install issues — this usually hides the real problem.
  • Real-world mistake:

    A team skips committing package-lock.json; their staging environment works, but production deploy breaks because a sub-dependency released a breaking change overnight.

🔑 Important to know:
The lockfile (package-lock.json or yarn.lock) pins the exact version after the first install. Even if your package.json allows a higher version, the lockfile keeps things stable until you explicitly update.


3️⃣ .yarnrc / .npmrc

  • How they work:
    Customize the behavior of npm/yarn, e.g., set private registries or proxies.

  • Important to remember:

    • Keep sensitive tokens out of versioned .npmrc / .yarnrc.
    • For private registries, use .npmrc in the CI/CD pipeline or environment variables.
  • Best practices:

    • Store per-user configs in your home directory (~/.npmrc), not in the project if they contain sensitive info.

4️⃣ babel.config.js / .babelrc

  • How it works:
    Transforms modern JavaScript (ES6+, JSX, TypeScript) into code browsers understand.

  • Common mistakes:

    • Missing or misconfigured presets cause build failures.
    • Using incompatible Babel and Webpack versions leads to hours of confusing errors.
  • Best practices:

    • Explicitly define presets (@babel/preset-env, @babel/preset-react) in projects.
    • Keep Babel versions in sync with other tools.

5️⃣ tsconfig.json

  • How it works:
    Controls TypeScript’s compiler behavior and type checking.

  • Critical settings:

    • strict → enables full type safety.
    • target → defines output JS version.
    • baseUrl / paths → improve import paths and avoid ugly ../../ imports.
  • Best practices:

    • Use strict mode in production projects.
    • Align tsconfig.json with CI/CD type-check steps.
  • Real-world issue:

    You skip strict mode to save time, ship to production, and later discover subtle type bugs that could have been caught early.


6️⃣ .eslint.json / .eslintrc.js

  • How it works:
    Defines code linting rules — runs in editors, CI pipelines, or as pre-commit hooks.

  • Best practices:

    • Use a shared team config or extend popular configs like Airbnb or StandardJS.
    • Integrate linting into CI to prevent code quality regressions.
  • Real-world example:

    Teams without enforced linting often waste time reviewing minor formatting issues in PRs.


7️⃣ .prettierrc

  • How it works:
    Configures automatic code formatting.

  • Best practices:

    • Run Prettier in your editor + CI pipeline.
    • Use .prettierignore to exclude large generated files.

8️⃣ .gitignore

  • How it works:
    Tells Git which files/folders to skip tracking (like node_modules, .env).

  • Best practices:

    • Keep your .gitignore up to date; accidentally committing node_modules can break builds or bloat the repo.
    • Check .gitignore on new clones to avoid pushing unwanted files.

💥 Why It All Matters in CI/CD

CI/CD systems rely on predictable, repeatable builds. These config files:

✅ Ensure consistent dependency versions
✅ Standardize linting and formatting
✅ Prevent committing sensitive or unwanted files
✅ Configure tools like Babel, TypeScript, Webpack correctly across environments

Without understanding them, you risk:

  • Broken deploys
  • Hard-to-debug environment differences
  • Hours of wasted developer time chasing “mystery” bugs

💥 Common Mistakes to Avoid
Deleting lockfiles to “fix” install errors → leads to unpredictable builds.

Ignoring Babel or TypeScript warnings → causes runtime crashes.

Not updating scripts in package.json → CI pipelines skip critical checks.


💡 Final Thoughts

Understanding these config files isn’t just “setup work”—it’s the foundation of reliable, maintainable apps. Whether you’re a frontend dev or working on CI/CD, mastering these files will save hours of debugging and make you a stronger engineer.

Top comments (0)