Doesn't make any sense to me, we as a Library produce code, our code will be consumed by others so what?
Our code is not publishing the package-lock.json , that correct cause it's been used to build the code.
What is not ideal is when the CI break because of a 3r'd party and we invest 2-3 days of manpower to find the cause of this....
For example:
I had committed fix for a defect in my code and got a build error because of a 3r'd party changed, can't see any logic.
Libraries produce code that is used in other places so it's not matter is the code used by people or computers, the documentation on NPM documentation is correct and you need to put the package-lock.json in your source control it's there for a reason, and the reason is: stable software is SOLID
Once you don't have reproducible builds your software is not SOLID anymore.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Doesn't make any sense to me, we as a Library produce code, our code will be consumed by others so what?
Our code is not publishing the package-lock.json , that correct cause it's been used to build the code.
What is not ideal is when the CI break because of a 3r'd party and we invest 2-3 days of manpower to find the cause of this....
For example:
I had committed fix for a defect in my code and got a build error because of a 3r'd party changed, can't see any logic.
Libraries produce code that is used in other places so it's not matter is the code used by people or computers, the documentation on NPM documentation is correct and you need to put the package-lock.json in your source control it's there for a reason, and the reason is: stable software is SOLID
Once you don't have reproducible builds your software is not SOLID anymore.