Menu
We've recently switched from greenkeeper to dependabot for our dependencies checks and we noticed that dependabot is opening PRs changing only package-lock.json leaving package.json as it was.
On the other hand, greenkeeper, was committing changes to both files.
What is going on? Is it normal or we missed something in the settings?
553
If you're collaborating on a shared project with multiple developers, and you want to ensures that installations remain identical for all developers and environments, you need to use package-lock. json . package-lock. json is automatically generated for any operations where npm modifies either package.
The reason package-lock. json may change automatically when you run npm install is because NPM is updating the package-lock. json file to accurately reflect all the dependencies it has downloaded since it may have gotten more up-to-date versions of some of them.
It is highly recommended you commit the generated package lock to source control: this will allow anyone else on your team, your deployments, your CI/continuous integration, and anyone else who runs npm install in your package source to get the exact same dependency tree that you were developing on.
This is a very late reply. We had this working in production for a long time now, but I see there's still interest prompting me that maybe people need some help. So, here it is:
When using GitHub dependabot (not dependabot-preview, although the conf file might be the same, actually):
dependabot.yml file in your repo's .github directory.increase.It will look something like this (e.g. npm):
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
# Always increase the version requirement
# to match the new version.
versioning-strategy: increase
That's it. Now, package.json and package-lock.json are both written to with a version increase.
106
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With