DEV Community 👩‍💻👨‍💻

Discussion on: When not to use package-lock.json

fulopattila122 profile image
Attila Fulop

I'm maintaining PHP packages and we have the same debate about composer.lock in libraries.

I'm lucky to live in the same city as one of the two authors of composer (npm's counterpart in php world) so once I could have a personal discussion about the topic with him.

He also suggested to commit the lock file with the package (which I don't do either) but he also suggested to do this in the CI pipeline:

  • test the package with the deps as in the lockfile
  • downgrade direct deps to the lowest version allowed by .json file and test against that
  • upgrade the direct deps to the highest version allowed by .json file and test against that as well

Here I can see the benefit of the lockfile, albeit I haven't started doing it yet

kgrosvenor profile image
kgrosvenor • Edited on

Dependency lock files are for fast tracking your dependencies via a file cache, so it doesn't have to look through npm again to find them again, you are meant to commit it yes and i don''t think there is a case for not commiting it?

It also works the same on composer.

Why ignore his advise about that from the author? your PI pipeline versions will eventually mess up because you don't commit it...