re: When not to use package-lock.json VIEW POST


I'm maintaining PHP packages and we have the same debate about composer.lock in libraries.

I'm lucky to live in the same city as one of the two authors of composer (npm's counterpart in php world) so once I could have a personal discussion about the topic with him.

He also suggested to commit the lock file with the package (which I don't do either) but he also suggested to do this in the CI pipeline:

  • test the package with the deps as in the lockfile
  • downgrade direct deps to the lowest version allowed by .json file and test against that
  • upgrade the direct deps to the highest version allowed by .json file and test against that as well

Here I can see the benefit of the lockfile, albeit I haven't started doing it yet

code of conduct - report abuse