Ok so I have an npm project at my work that a bunch of us are working on. It has dependencies on 'lodash' and 'jquery'.
I do an >npm install
, and it pulls down my deps. Then I bundle it.
That creates a 'package-lock.json' on my system.
Now another developer adds a new dependency on 'moment'.
He does a >npm install -S moment
.
That adds it to his package.json, and he checks that in. We don't check in the package-lock.json.
Now I do a 'git pull
' and get the new package.json.
Now I do >npm install
, BUT because I have my own package-lock.json, it doesnt install 'moment' for me. So now I have to:
>rm package-lock.json
>npm install
And now I have 'moment'. Seems like this package-lock.json isn't really helping my workflow. Could I get an explanation of how this should work for developers on a day-to-day basis, if we are all developing on a common npm module?
The goal of package-lock. json file is to keep track of the exact version of every package that is installed so that a product is 100% reproducible in the same way even if packages are updated by their maintainers. This solves a very specific problem that package.
json intact. It is highly recommended you commit the generated package lock to source control: this will allow anyone else on your team, your deployments, your CI/continuous integration, and anyone else who runs npm install in your package source to get the exact same dependency tree that you were developing on.
package-lock. json is updated automatically on dependency changes. It should be committed to version control to ensure the same dependencies on install.
First, according to npm documentation:
This file is intended to be committed into source repositories
so you should commit your initial package-lock.json
after you've done npm install
.
Another developer pulls your changes, including the lockfile.
Then he does npm -S moment
, which makes updates to both package.json
and package-lock.json
. The developer pushes a commit with these changes.
Now you pull his changes and do npm install
. It should install moment
for you . Furthermore, you both should now have exactly the same version of moment
and it's dependencies installed - even if between his and your installs minor version of some dependency was incremented.
It all gets messy when both of you have installed new dependencies in parallel and then have a conflict on package-lock.json
. This may be a huge file and quite a pain to merge manually. I haven't seen documented any official way of dealing with it. There is even an open issue in npm repo to provide solution to resolving conflicts.
One user shares his workaround workflow in the issue thread there, which basically means: override your local changes with package.json
and package-lock.json
pulled from master, then apply all your npm install -S
and npm remove -S
commands again. This seems to be a reasonable solution until the issue is resolved by npm.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With