Skip to content

Add package-lock.json#4337

Closed
benmccann wants to merge 1 commit intochartjs:masterfrom
benmccann:package-lock
Closed

Add package-lock.json#4337
benmccann wants to merge 1 commit intochartjs:masterfrom
benmccann:package-lock

Conversation

@benmccann
Copy link
Contributor

@benmccann benmccann commented Jun 6, 2017

When using npm 5 to build a package-lock.json file is created with the following message:

npm notice created a lockfile as package-lock.json. You should commit this file

@etimberg etimberg added this to the Version 2.7 milestone Jun 6, 2017
@etimberg
Copy link
Member

etimberg commented Jun 6, 2017

Looks good to me. @simonbrunel ?

@simonbrunel
Copy link
Member

simonbrunel commented Jun 7, 2017
edited
Loading

If I understand correctly, the package-lock.json only makes sense if:

  • Travis is setup to build on Node.js 8 / npm 5 (not sure if it's supported yet),
  • all contributors switch their environment to Node.js 8 (6.11.0 LTS is currently recommended),
  • package-lock.json is not updated in every PR (what npm commands update this file?)

If we can't get Travis to use this package-lock.json file, then I would not add it to the repository because builds will not reflect the locked dependencies. And since most of the dependencies are dev, does it make really sense to lock these deps? I would rather use pinned versions for the 2 non dev dependencies we have (moment and chartjs-color) and git ignore this package-lock.json.

Don't you think that this file will finally generate more noise and work than benefits?

@simonbrunel simonbrunel mentioned this pull request Jun 7, 2017
Merged
@benmccann
Copy link
Contributor Author

benmccann commented Jun 7, 2017

package-lock.json doesn't require a certain version of Node. Only of npm

I use node 6 to build locally, which is the latest LTS as you've pointed out. I've sent a separate PR to update Travis to use node 6 instead of node 5

Travis uses npm 3 by default regardless of node version, so you're right that it's ignoring this file at the moment. For people who use npm 5 they're going to be continually bugged to check in this file. So it seems like we should either ask Travis to use npm 5 or maybe add this file to .gitignore?

@simonbrunel
Copy link
Member

simonbrunel commented Jun 7, 2017
edited
Loading

I'm still thinking it will bring more noise than benefits, so my personal choice would be to .gitignore it.

I suggested Node.js 8 because I think npm 5 comes bundled in that version (at least on Windows), but you right, it has nothing to do with the version of Node.js.

edit: seems I removed the .gitignore suggestion in my previous comment before posting

@simonbrunel
Copy link
Member

simonbrunel commented Jun 7, 2017

@etimberg what do you think?

@etimberg
Copy link
Member

etimberg commented Jun 7, 2017

I think it really depends on how often we update it. It's noisy if it's always updating

@benmccann
Copy link
Contributor Author

benmccann commented Jun 8, 2017

I believe it will only update upon request or when package.json is updated.

However, I'm going to close this for now because I discovered there's a bug in npm's handling of this file that's a dealbreaker. I may reopen when the bug is fixed

@benmccann benmccann closed this Jun 8, 2017
@benmccann benmccann mentioned this pull request Jul 11, 2017
Closed
@benmccann benmccann deleted the package-lock branch August 1, 2017 04:04
@simonbrunel simonbrunel removed this from the Version 2.7 milestone Aug 28, 2017
@benmccann benmccann mentioned this pull request Jan 11, 2018
Closed
@simonbrunel simonbrunel mentioned this pull request Jan 11, 2018
Merged
@benmccann benmccann mentioned this pull request Sep 4, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

type: infrastructure

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@benmccann @etimberg @simonbrunel