Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Commit package-lock.json #1659

Closed
levino opened this issue May 25, 2018 · 6 comments · Fixed by #1660
Closed

Commit package-lock.json #1659

levino opened this issue May 25, 2018 · 6 comments · Fixed by #1660
Assignees
@nivida
Labels
In Progress Currently being worked on

Comments

@levino
Copy link
Contributor

levino commented May 25, 2018

You are running a postinstall script to bootstrap the lerna multirepo. That is nice. But you do not commit the package-lock.json. That is good practice and should be done. Will save you lots of headaches with "works on my machine" issues. From the lerna bootstrap logs:

lerna success Bootstrapped 20 packages
npm notice created a lockfile as package-lock.json. You should commit this file.
added 948 packages in 72.476s
@levino
Copy link
Contributor Author

levino commented May 25, 2018

If you are concerned about the huge diff you always have with the lockfiles, that is not a problem: They do not matter. Just accept all changes to it.

@levino levino mentioned this issue May 25, 2018
Merged
@pubkey
Copy link

pubkey commented May 28, 2018

I do not think a library should add the package-lock.json. See this discussion.
To prevent the works on my machine-problem, you should add the package-lock to your project, not a single dependency.

@levino
Copy link
Contributor Author

levino commented May 28, 2018

The lockfile should never be published to NPM. It should however be part of the version controlled source code. It is actually even impossible. https://docs.npmjs.com/files/package-lock.json

One key detail about package-lock.json is that it cannot be published, and it will be ignored if found in any place other than the toplevel package.

Anyhow. There are a bunch of lockfiles in the packages themselves, but none for the web3 package and the project as a whole, which does not make sense.

Keep in mind: Anyone who installs the published package will always install the latest versions of any dependency.

IMO the lockfile should be commited at the toplevel, all other lockfiles should be removed. The lockfile can also be occasionally be removed and recreated in order to always use the latest patches. Deleting a lockfile and having it recreated with npm install should not break anything if the dependencies are correctly maintained.

@pubkey
Copy link

pubkey commented May 28, 2018

Didn't know that. My comment is invalid then.

@levino
Copy link
Contributor Author

levino commented May 28, 2018
edited
Loading

Maybe another way to see it is: A lockfile makes sure that every developer of a project uses the exact same versions of the dependencies for her local dev setup. Nothing more.

@gburtini
Copy link

gburtini commented May 28, 2018
edited
Loading

100% agreed. This is too important of a project to be subject to dependency changes. Lockfiles should always be committed.

@nivida nivida added the In Progress Currently being worked on label Aug 10, 2018
@nivida nivida self-assigned this Aug 10, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nivida nivida

Labels
In Progress Currently being worked on
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix: Remove typescript typings levino/web3.js
5 participants
@frozeman @gburtini @levino @nivida @pubkey