DEV Community

Discussion on: So you think you're just gonna `npm install`? Think again

the_hme profile image
Brenda ๐Ÿฑ • Edited on

So if you have the same dependencies in your different environments (prod, dev, test, etc.) and your merge causes a package lock file conflict, it would
be better to manually edit the package lock file?

I think I need to look more into the value and purpose of the lock file.

Thread Thread
lirantal profile image
Liran Tal Author

No. In no circumstance it would be appropriate to manually edit a lock file. Generally speaking if you need to "fix" a lock file. It's better to use the package manager built-in tooling for it. For example, yarn supports automatic resolution of conflict merge issues that fix the lock file.

If that doesn't help. You can update the lock file by running the install/remove commands using the package manager so that it takes care of updating the lock file for you.

Regardless of this, during CI builds you want to maintain reproducible builds and be strict on what packages you install.

Maybe it wasn't very clear in the post but to provide this as an example:

  1. package.json defines dependency myCoolModule version 1.2.3
  2. lockfile has myCoolModule version 0.0.1

At this point, it doesn't really matter how (1) and (2) are different (whether merge conflict issue, or someone forgot to sync the package.json with the lock file)

  1. if your CI server runs npm install then it would detect that the package lock is out of date and both update it (which means it modifies the git copy it cloned, bad to begin with), and brings in 1.2.3 which is what the package.json defined, but not the lock file. Therefore, making the lock file useless.

Instead, you'd want in your CI to run npm ci which reads the lock file as a source of truth, and will bring you myCoolModule version 0.0.1. If it breaks your tests - all the better, it means that the build stopped you from shipping something you didn't expect.

Hope it's a bit clearer :-)

Thread Thread
the_hme profile image
Brenda ๐Ÿฑ

I see. Thanks for the reply.