Closed folletto closed 6 years ago
So basically the package.lock is awesome when we want consistent CI builds (which we don't have yet), or if we're a non-library project. This file isn't published, which means that clients like Calypso will pull down the latest of whatever package.json specifies.
Here's the worst case scenario: let's say we have a library dependency that is not pinned. Let's call this package foo
at ^1.2.3
. The package.lock sticks with 1.2.3
but a few days later Calypso reshrinkwraps and foo
happens to publish 1.3.0
which breaks something. Calypso picks up the latest foo 1.3.0. Locally in this repo we don't notice what's wrong since we use the exact version in package.lock.
So two options that come to mind:
To be clear: by "pinned" you mean that package.json
should specifiy an exact version, correct?
Yes, an exact version!
Ok!
Given:
dependencies
(prop-types
)devDependencies
svg-to-pdfkit
)I'd consider the second choice to be the ideal.
We can reconsider at a later point.
Ok added PR to remove it from Gridicons: https://github.com/Automattic/gridicons/pull/287
And added PR to remove it from Social Logos too: https://github.com/Automattic/social-logos/pull/61
Both issues got merged. ✅ ✅
Thank you @gwwar for the always precise and clear feedback. :)
Thanks for following up on this one! 💖
This issue emerged first after we aligned Social Logos to the new build system from Gridicons:
And then recently the file was added in Gridicons, after another unrelated update:
In both situations, it was raised the question if the file is actually needed — by @gwwar:
I think we need a clear answer, and then commit the changes to all the repositories.