jtojnar
commented
4 years ago We do have package-lock.json for the javascript client https://github.com/SSilence/selfoss/blob/master/assets/package-lock.json, the top-level package.json is just for npm-scripts. Though we now do depend on archiver, so I guess package-lock might be useful there as well.
These files should be committed to git (even npm complains when installing:
npm notice created a lockfile as package-lock.json. You should commit this file.). Otherwise you risk your users or co-devs installing different dependencies when a new package version was released. Committing the lock file makes the upgrade more controlled. The exact same version will be installed for everyone bynpm install, and when you want to upgrade packages you will see changes in the lock file, which should again be committed.