DEV Community

When not to use package-lock.json

Gajus Kuizinas on September 26, 2019

I maintain over 200 repositories on GitHub and one of the most common PRs that I receive is someone adding package-lock.json or yarn.lock. These PR...
Collapse
 
arcanis profile image
Maël Nison • Edited

Not again :(

This is incorrect, the lockfiles should always be committed. This isn't about you, but about your external contributors and project archival. The lockfile ensures that we never lose track of the last known good state.

Previous discussion: twitter.com/arcanis/status/1164229...

Collapse
 
robogeek profile image
David Herron

The state of dependencies should be described in package.json. That's what the dependencies field is for. Package-lock.json is unnecessary.

Collapse
 
evolutionxbox profile image
Jonathan Cousins • Edited

Not that this is common, but what about the dependencies that your dependencies rely on? What if they change?

Collapse
 
gajus profile image
Gajus Kuizinas

You have not read the article.

Collapse
 
arcanis profile image
Maël Nison • Edited

I did. And working on package managers is part of my daily job, so it's not the first time I think about this.

My thread is a good explanation of the problems in your reasoning, and I'd be happy to go into more details if you have a specific point you'd like to challenge.

Thread Thread
 
gajus profile image
Gajus Kuizinas

I am not advocating against using package-lock.json for programs designed to be consumed by the end consumer. I do suggest not to use lock files in packages that will be dependencies of other packages.

I have read comments of the multiple people who are suggesting to use package-lock.json because it locks down dev dependencies. This is not a valid use case for the same reasons that I outline in the article. If you need to lock down dev dependencies, use semver range that meets your requirements.

Thread Thread
 
arcanis profile image
Maël Nison • Edited

If you need to lock down dev dependencies, use semver range that meets your requirements

Exact semver range isn't locking. Transitive dependencies are still free to change unless you use a proper lockfile.

This isn't to say that exact dependencies are useless (some of my codebases use them), but they solve a different problem and it shouldn't impact at all whether the lockfiles are meant to be committed or not.

I am not advocating against using package-lock.json for programs designed to be consumed by the end consumer

This is the part I'm objecting to. To quote myself:

A lockfile isn't meant to prevent breakages [for consumers] - it's to ensure smooth deployments and development cycles. The first isn't super relevant to libraries and tooling, but the second very much is.

Thread Thread
 
gajus profile image
Gajus Kuizinas • Edited

I understand your argument (using lock files ensures smooth deployments and development cycles). However, unlike others in this thread, I do not put as much value on this argument compared to the downsides I have described in this article. In practise, I have found it extremely rare that dependencies or transitive dependencies break or introduce bugs within semver changes that prevent me from working or that would have been prevented using lock files. Happened, maybe 3 times over the last 5 years that my work was interrupted for longer than an hour.

Thread Thread
 
matthiasccri profile image
Matthias • Edited

It could have been 0 times, if you used a lockfile. Just saying.

Collapse
 
stereobooster profile image
stereobooster

I get it - similar idea expressed in this article yehudakatz.com/2010/12/16/clarifyi.... But from experience npm packages are fragile, what you were able to install today (based on package.json) doesn't guarantee you would be able to install in a month. How do you deal with fragility? I gave up and commit lock files.

Collapse
 
robogeek profile image
David Herron

You can always use exact version number dependencies in package.json. Package-lock.json is unnecessary.

Collapse
 
drkn profile image
Maciej Dragan

Your "exact version number dependencies" have other dependencies which most likely are not "exact version number dependencies", so case described by @stereobooster still applies. You will most likely get different packages in time when you use npm install on your project without package-lock file, and your project may break because of that. I agree it's a pain to maintain it but sometimes there is no other way.

Collapse
 
adiddy profile image
A

If the package-lock.json has a dependency outside a range defined in package.json, the lock file will be updated with the exact version used. Therefore, they always match.

I tried not using a package-lock.json. After the second instance of a dependency's dependency breaking my build, it became obvious that the lock file is there for a reason... I always use it now so everyone gets the exact same versions.

Collapse
 
carlosnufe_97 profile image
Carlos Núñez

The headline is misleading, there are as you already told different use cases.

Collapse
 
andrewsosa profile image
Andrew Sosa

c l i c k b a i t

Collapse
 
gajus profile image
Gajus Kuizinas • Edited

There is only so much information that can be contained in the title. Do you have suggestions how to rephrase the title?

Collapse
 
rdjoseph profile image
RDJ

"When not to use package-lock.json"

Thread Thread
 
gajus profile image
Gajus Kuizinas

Thank you for the suggestion. I have updated article title.

Collapse
 
nullvoxpopuli profile image
NullVoxPopuli

Not everyone adheres to semver. That's where this falls apart.

Most popular package that disregards semver: typescript

Collapse
 
rickvandermey profile image
Rick van der Meij • Edited

It doesn't matter if you are developing in a team or solo. The package lock provides a clear vision which version of dependencies and dependencies of dependencies are being used,and sets them to a fixed version. You do not have any control of deeper dependencies without a package lock which can be reviewed. npm i updates dependencies without you noticing, that's why you use a npm ci when you want to rebuild your node modules.

When updating all packages you can create a specific feature and check those changes. Or automate it if you have decent test

Collapse
 
anamon profile image
Daniel Saner

Aren't you mixing up two things here; committing to a source code repository, and publishing to a registry?

npm pack strips out package-lock.json for publishing. But I believe that even if there were package-lock.json files in dependencies, npm install ignores any but the top-level one, anyway. It wouldn't make sense conceptually to consider them, because if you successfully lock down your dependency versions from your root, you implicitly lock them for all dependencies further down the tree, as well.

On the other hand, nothing speaks against publishing package-lock.json with the source code. In fact, that's half of the reasons for its existence. Because it only has an effect if it's the top-level package, it will help library developers with its intended purpose, while not affecting library consumers.

Please correct me if I'm misunderstanding something here!

Collapse
 
kgrosvenor profile image
kgrosvenor

Always commit your lock files, it speeds up CI builds because npm/composer wont have to locale the packages again since it caches the locations of them in the lock file, there is no place where you should not do this, unless you are inherently a bad programmer and don't like to follow industry practice.

Collapse
 
bycedric profile image
Cedric van Putten • Edited

I agree that your lockfile must not be packaged and shipped within the library.

However, when developing libraries you probably have a set of development dependencies and/or normal dependencies. Here is where I disagree, because these should actually be in a lockfile (in my opinion). You are still pulling dependencies there, even ones not included in the publishes library.

The alternative of using exact versions is also possible. Although, for me, the tradeoffs of messy commit to update patches and losing the ability of quick updates (remove lockfile/npm update) is a no-go for me.

Collapse
 
nahuef profile image
Nahuel

I understand that even if you have the package-lock it will have no effect on any npm install ran on you machine, docker or CI/CD. That's why it is always updated after an npm install.

It only makes a difference if you ran npm ci, right?

Collapse
 
guidobouman profile image
Guido Bouman

Almost, npm i always reproduces the same build from package-lock.json. Unless the dependencies are changed. Then it will update the package-lock.json to reflect those changes. It does not ignore the package-lock.json, as that would change your dependencies every time some nested dependency releases a new (patch?) version that satisfies its dependency requirement.

Collapse
 
evolutionxbox profile image
Jonathan Cousins

As far as I know, yes. (Although I'm aware you wanted the author to answer you).

npm ci is has been very useful for consistent development and ci-build environments, for me at least.

Collapse
 
lirantal profile image
Liran Tal

This is more of your own opinion Gajus than a best practice.
Mael has pointed out good reasons to use lockfiles.

2 articles I wrote to provide more context on lockfiles are:

  1. snyk.io/blog/making-sense-of-packa...
  2. if you use lockfiles, there's also a potential security issue that you should know about: snyk.io/blog/why-npm-lockfiles-can...
Collapse
 
obender profile image
Chen Osipov

Doesn't make any sense to me, we as a Library produce code, our code will be consumed by others so what?

Our code is not publishing the package-lock.json , that correct cause it's been used to build the code.

What is not ideal is when the CI break because of a 3r'd party and we invest 2-3 days of manpower to find the cause of this....

For example:
I had committed fix for a defect in my code and got a build error because of a 3r'd party changed, can't see any logic.

Libraries produce code that is used in other places so it's not matter is the code used by people or computers, the documentation on NPM documentation is correct and you need to put the package-lock.json in your source control it's there for a reason, and the reason is: stable software is SOLID

Once you don't have reproducible builds your software is not SOLID anymore.

Collapse
 
kopax profile image
Dimitri KOPRIWA

I am not using lock file on modules, I am now facing a hard issue accross many projects. Terser is breaking on production build of my documentation, having lock file accross the chain of dependencies would have prevented that.

Collapse
 
melroysblog profile image
Melroy's Blog

Keep pushing, I think this is an important improvement.

Collapse
 
fulopattila122 profile image
Attila Fulop

I'm maintaining PHP packages and we have the same debate about composer.lock in libraries.

I'm lucky to live in the same city as one of the two authors of composer (npm's counterpart in php world) so once I could have a personal discussion about the topic with him.

He also suggested to commit the lock file with the package (which I don't do either) but he also suggested to do this in the CI pipeline:

  • test the package with the deps as in the lockfile
  • downgrade direct deps to the lowest version allowed by .json file and test against that
  • upgrade the direct deps to the highest version allowed by .json file and test against that as well

Here I can see the benefit of the lockfile, albeit I haven't started doing it yet

Collapse
 
kgrosvenor profile image
kgrosvenor • Edited

Dependency lock files are for fast tracking your dependencies via a file cache, so it doesn't have to look through npm again to find them again, you are meant to commit it yes and i don''t think there is a case for not commiting it?

It also works the same on composer.

Why ignore his advise about that from the author? your PI pipeline versions will eventually mess up because you don't commit it...

Collapse
 
nimit95 profile image
Nimit Aggarwal

I think this is like a double edge sword if some dependency in my package's tree is updated with a vulnerable package. That would directly affect my package. The same thing that happened with event-stream snyk.io/blog/malicious-code-found-...

Collapse
 
matthiasccri profile image
Matthias

I would personally prefer my environment to break

This is an odd way to put it :) Rather, you probably mean that you want to know when there is a breakage, not that you want to have to drop everything and fix it right now and it is blocking you from your original task at hand. No one wants that kind of interruption.

There are a couple responses:

  1. when? When is the break going to be detected? Are you executing these tests daily? hourly? In CI or locally? This is pointed out in the yarn article with babel as an example. In babel's case, consumers logged Issues about the breakage before babel maintainers even detected it themselves. People think a missing lockfile will magically notify them of breakages, but they must realize that they have to actually run the builds and tests to see the breakage.
  2. Again, no one wants "surprise broken builds". They do want to fix broken builds, but they want to choose when to do it. Without a tracked lockfile, you can't revert to a "last known good install". You are forced to fix the build before you can work. With a lockfile, you can revert and continue working, and fix the issue later.
Collapse
 
matthiasccri profile image
Matthias • Edited

I would support a variation of package-lock.json if it could somehow only apply to devDependencies.

The same reasoning applies to both dependencies and devDependencies, because both are very much used during development.

You described it as "wanting your development environment to not break", but realize this applies to both the build and the tests, and dependencies are used in tests.

Collapse
 
ankurloriya profile image
Ankur Loriya

I think package-lock.json for security purpose.
When a user hit npm install package-lock.json created commit the package-lock.json changes to version control. They must be insecure network.

Once the package-lock.json generated from true (secure) network and your other machine network might under attack and hacker might change npm registry DNS/Route/IP in that case npm will check the integrity with npm install.

Collapse
 
krohrsb profile image
Kyle Brown

The solution for the stated problem is not not using lock files. It should be choosing pinned dependencies vs ranges.

Collapse
 
ljharb profile image
Jordan Harband

No, it's not, because pinning dependencies doesn't pin their dependencies. The only way to do this properly in an application is with a lockfile (NOT pinning anything). The only way to do this properly in a package is to use ^, always.

Collapse
 
jascomp profile image
Jason Holden

Thanks for the clarification.

Collapse
 
coderbyheart profile image
Markus Tacker 🇳🇴

Because package-lock.json cannot be added to NPM registry

This is false.

Collapse
 
bennypowers profile image
Benny Powers 🇮🇱🇨🇦

On the other hand, wouldn't you like to lock versions of devDependencies, leverage faster builds in ci, etc?

Collapse
 
matthiasccri profile image
Matthias • Edited

After all, you can easily patch your dependency tree if you need to lock down a specific version for development purposes.

This is basically what a lockfile does... why not just use a lockfile?

Collapse
 
bitcod3r profile image
Guillermo Garcia

I agree with your arguments about why it should be a developer/maintainer responsibility to keep their dependencies at the latest versions and solve any issue related to some broken/buggy dependency version.

Perhaps npm needs to use a different approach to help us identify when an end-user runs ´npm install´ vs when a developer runs it.

To make this distinction viable we would propose two different kind of lock files. One for development usage and another for final usage (like packages that are themselves dependencies of other packages.).

Collapse
 
brieucp profile image
brieucp

Instead it's better to set npm with --save-exact (in .npmrc or on every install).

Collapse
 
saurabhdaware profile image
Saurabh Daware 🌻

I did not understand how not commiting package-lock solves this issue? won't package.json will update sub-dependencies anyway?

Collapse
 
azterix101 profile image
Neo

Thanks i was not aware of this.

Collapse
 
aahutsal profile image
Arsen A. Gutsal

"but it was archived without an action."- probably they just act like you, closing PRs without any notice 😅

Collapse
 
gajus profile image
Gajus Kuizinas

I do provide explanation to every PR I close.