Autogenerate lock files for starters

[sidharthachatterjee]

Now that starters are in this repo courtesy of @DSchau, @pieh and I were discussing how we ought to autogenerate lock files for them since manually updating dependencies is a chore.

package.json for all starters have all dependencies specified with the ^ selector so it's only the lock files that needs updating.

[sidharthachatterjee]

@DSchau just made a great point about how we don't supply a yarn.lock and yarn users therefore don't get deterministic installs

[DSchau]

@sidharthachatterjee just discovered yarn import. We could perhaps switch the CLI to use this command, rather than attempt to keep both in sync.

I haven't validated this much at all, but it works with the blog and default starters on my system 🤷‍♂️

[KyleAMathews]

For context, the only reason we include a lock file at all (we didn't for a while) is the npm has the adorable behavior that if you install dependencies with yarn but then install a package with npm, npm not seeing a package-lock.json file will assume that everything in node_modules isn't needed and then delete those and only install the one new package.

We used to get tons of issues from people complaining that gatsby didn't work after a while when going through the tutorial or trying it out.

So deterministic installs isn't the goal, the goal is helping npm avoid deleting all someone's packages.

What would also help is if we let people choose to use NPM or yarn as then "gatsby new" could choose one or the other and then we could avoid lock files altogether.

[gatsbot]

Hiya!

This issue has gone quiet. Spooky quiet. 👻

We get a lot of issues, so we currently close issues after 30 days of inactivity. It’s been at least 20 days since the last update here.

If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

Thanks for being a part of the Gatsby community! 💪💜

[JacobBlomgren]

@sidharthachatterjee any updates on this? I was just about to file an issue about Gatsby new, where yarn will print

package-lock.json found. Your project contains lock files generated by tools other than Yarn. It is advised not to mix package managers in order to avoid resolution inconsistencies caused by unsynchronized lock files. To clear this warning, remove package-lock.json.

which is related to this. As I see it, there are two solutions to this, either remove the lock file that is not used during Gatsby new, or only ship the default starter with package-lock and then do yarn import as mentioned above. I’d be happy to help! This has also been reported here: #4514 (comment)

[sidharthachatterjee]

Sorry for missing this comment @JacobBlomgren

I've tagged you in #13210 with a potential solution in case you're still interested in taking a stab at this!

[sidharthachatterjee]

We now include both package-lock.json and yarn.lock in official starters (like in https://github.com/gatsbyjs/gatsby-starter-default) and delete the unused one based on the user's selected package manager.