I get it - similar idea expressed in this article yehudakatz.com/2010/12/16/clarifyi.... But from experience npm packages are fragile, what you were able to install today (based on package.json) doesn't guarantee you would be able to install in a month. How do you deal with fragility? I gave up and commit lock files.
Your "exact version number dependencies" have other dependencies which most likely are not "exact version number dependencies", so case described by @stereobooster still applies. You will most likely get different packages in time when you use npm install on your project without package-lock file, and your project may break because of that. I agree it's a pain to maintain it but sometimes there is no other way.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I get it - similar idea expressed in this article yehudakatz.com/2010/12/16/clarifyi.... But from experience
npm
packages are fragile, what you were able to install today (based onpackage.json
) doesn't guarantee you would be able to install in a month. How do you deal with fragility? I gave up and commit lock files.You can always use exact version number dependencies in package.json. Package-lock.json is unnecessary.
Your "exact version number dependencies" have other dependencies which most likely are not "exact version number dependencies", so case described by @stereobooster still applies. You will most likely get different packages in time when you use npm install on your project without package-lock file, and your project may break because of that. I agree it's a pain to maintain it but sometimes there is no other way.