No lockfiles rule

[SamVerschueren]

I never use lockfiles for my modules, only for applications to make sure that the application that is built has the exact same dependencies as the one I tested everything with. Maybe we should add this as a warning instead of an error? What if the lockfile is added to .gitignore, should we still warn?

// @sindresorhus

[sindresorhus]

:+1: Warning and not if it's in .gitignore.

[sindresorhus]

The rule should:

• Warn if package-lock.json or yarn.lock is in the root.
• Warn if there's no .npmrc with package-lock=false.
• Warn if there's no yarn.lock in .gitignore.

[SamVerschueren]

Good suggestions!

[silverwind]

Just adding that yarn can also be configured to not emit lockfiles on install, I hate them with passion 😉.

[sindresorhus]

@silverwind Yup, but I don't use Yarn, so don't think it's worth introducing yet another meta file.

[SamVerschueren]

Because those are just warnings, I guess they shouldn't/can't be auto-fixable?

Warn if package-lock.json or yarn.lock is in the root.

Remove lock file

Warn if there's no .npmrc with package-lock=false.

Create .npmrc with package-lock=false

Warn if there's no yarn.lock in .gitignore.

Add yarn.lock to the root

[sindresorhus]

I don't see why you couldn't auto-fix them. What you suggested above sounds fine.

[SamVerschueren]

You're right, I was assuming that warnings shouldn't be auto-fixable. But actually they can. Thanks for the feedback!