hungdev
commented
2 years ago @rililive please remove package-lock.json
Open rililive opened 2 years ago
hungdev
commented
2 years ago @rililive please remove package-lock.json
rililive
commented
2 years ago I can remove the package-lock if you like, but best practice is to commit it in git. It keeps versions consistent so that all consumers get the same versions.
rililive
commented
2 years ago For example npm ci uses the package-lock in ci/cd workflows to ensure versions are consistent with your local/testing environment
rililive
commented
2 years ago Why? The package-lock is important for maintaining consistent versioning across environments.
On Tue, May 17, 2022, 9:24 AM Hung Vu @.***> wrote:
@rililive https://github.com/rililive please remove package-lock.json
— Reply to this email directly, view it on GitHub https://github.com/hungdev/react-native-instagram-login/pull/112#issuecomment-1128937125, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKT6B75ZMUOC4W4K3DSTFBLVKOTYLANCNFSM5V5VP66Q . You are receiving this because you were mentioned.Message ID: @.***>
hungdev
commented
2 years ago Hi @rililive I don't think we should put it in lib, because when you install it, lib can use existing axios in your app, and then we don't care about consistent versioning. Besides it is a special case, some people use yarn instead of npm.
The gitignore is just a common boilerplate for JS projects. Moving axios to a peerDependency also allows consumers to keep it up to date. There was a recent, critical vulnerability discovered in the previous version, so this update resolve any security concerns.
Axios also has a default export that acts as a singleton, so having multiple versions installed can create bugs that are hard to track down. The peer dependency usage makes this easier to prevent by having one version and only one singleton that defaults get applied to.