DEV Community

loading...

Discussion on: So you think you're just gonna `npm install`? Think again

Collapse
lirantal profile image
Liran Tal Author

Hey Boris! Nice to e-meet you :)

The issue that can arise with out-of-sync lockfiles isn't due to people editing them manually. To be honest, I don't think anyone does.

The problem is with changes people might do to package.json. They might not even edit that manually, but instead it would happen while developers will resolve a merge conflict, and unintentionally a change in the package manifest will slip in.

Pre-commit hooks - I'm all up for those! :-)

Collapse
qm3ster profile image
Mihail Malo • Edited

I sometimes edit them "by hand" with Version Lens

There's also the issue of pnpm vs yarn (and sometimes even npm, imagine that), because they create separate lockfiles.
So, whichever you used to edit package.json, you will still probably need to run npm install --package-lock-only and, if the default for the project is yarn, literally run a whole yarn. (Or is there a --lockfile-only equivalent for yarn?)

Thread Thread
lirantal profile image
Liran Tal Author

I'm not using version lens. Does that also care to update the package lock file when you do that? (as in, not update it "by hand" too, but actually re-ran the locking through the relevant package manager.

Also, I think you mean --package-lock-only? In yarn, just a yarn install will resolve conflicts.

The problem is not how the files get out of sync, but rather the fact that you'd not want to propagate this 'out of sync' behavior to your CIs or other devs (which is even worse as it will just drive more confusion).

Thread Thread
qm3ster profile image
Mihail Malo • Edited

Does that also care

It does not. It totally should, but at the moment it does not. Literally just writes to the file for you.

Yeah, npm i --package-lock-only && pnpm i --lockfile-only

The yarn [install] will also actually do the install, which is slower and clobbers my nice node_modules made by pnpm.

Thread Thread
lirantal profile image
Liran Tal Author

Not so ideal when the package.json alone changes.
These are changes that aren't as soft as other things that you can force on the team by putting them on commit hooks.

I think we agree that regardless, your CI/build systems should work with the pure lock file and not try resolve.