The purpose of the package-lock.json file is to "lock" the list of dependencies for a Node.js project beyond simply listing the dependencies in a package.json file.
Here is an example of a package-lock.json being added to a project:
GitHub (obviously) does not show the full 10k lines of JSON because it's a massive file.
When we attempt to expand on this list we see an ocean of dependencies and versions:
What does this information tell us?
It tells us the precise versions of all the dependencies that are being used in the project at this point in its' history. That is a good thing right...?
Well, on the surface, yes, it is a good thing to have a precise control of the dependencies, that's incontestable.
The question is: will having a package-lock.json file save you from a "bad" dependency update? or is the file simply creating clutter and noise in your project?
As much as I hate the noise of a package-lock.json file having hundreds of lines updated each time a dependency is updated, on balance I feel it's a necessary evil for some projects that don't have complete end-to-end testing. When an app does not have good testing and continuous integration, package-lock.json can be a good "fallback".
There is no substitute for having full test coverage when upgrading versions of a dependency.
The purpose of the
package-lock.jsonfile is to "lock" the list of dependencies for a Node.js project beyond simply listing the dependencies in apackage.jsonfile.Here is an example of a
package-lock.jsonbeing added to a project:GitHub (obviously) does not show the full 10k lines of JSON because it's a massive file.
When we attempt to expand on this list we see an ocean of dependencies and versions:
What does this information tell us?
It tells us the precise versions of all the dependencies that are being used in the project at this point in its' history. That is a good thing right...?
Well, on the surface, yes, it is a good thing to have a precise control of the dependencies, that's incontestable.
The question is: will having a
package-lock.jsonfile save you from a "bad" dependency update? or is the file simply creating clutter and noise in your project?As much as I hate the noise of a
package-lock.jsonfile having hundreds of lines updated each time a dependency is updated, on balance I feel it's a necessary evil for some projects that don't have complete end-to-end testing. When an app does not have good testing and continuous integration,package-lock.jsoncan be a good "fallback".There is no substitute for having full test coverage when upgrading versions of a dependency.