Closed ericbf closed 8 months ago
im afraid, this file should not be committed to the repository in this case and rather when you use it to main repository. The issue is that muhammara support a very wide range of node and electron version for different platforms architectures and clibs. This multiple times to the issue that a version works with a but not with b and when you try to fix that it workd for a and b but not for C anymore. The main versions to be used are in the package version the rest should npm/yarn/lerna decide what best fits your actual package.
The package-lock.json file is not published with the package, but it’s intended to be committed to the repository:
This file is intended to be committed into source repositories...One key detail about package-lock.json is that it cannot be published, and it will be ignored if found in any place other than the toplevel package.
Source: https://docs.npmjs.com/cli/v6/configuring-npm/package-lock-json#description
The package-lock.json
is intended to be committed, meaning it's designed in such a way as to be compatible with a wide range of node, electron, platform, or clib versions. It affects the development environment, as in, if someone clones the muhammara repo and installs local dependencies, and it guarantees that the same dependency versions are used for development.
Additionally, npm install
will always install the latest version of dependencies that match the semver range when the package-lock.json
isn’t present, taking no account of the architecture or anything. If the latest version includes a bug or vulnerability, it will be pulled in regardless of compatibility. In a perfect world, that would be fine, but sometimes other packages have broken versions, or don’t perfectly follow semver and introduce breaking changes in minor or patch releases. In those cases, using a package-lock.json
ensures that all users that locally install dependencies in a repo install the same versions of dependencies.
NPM is inherently designed to work with a wide range of platforms, and they recommend committing the package-lock.json
. In actual fact, it doesn’t reduce portability, it improves it by preventing broken versions from unknowingly being installed for some users but not for others.
yes you are right, i was thinking about releasing it. we had major issues when we released them so i removed it. but yes inside the repository this would work. sorry for the misunderstanding.
This file should be committed to the repo. This commit adds the lockfile as recommended.
Fixes #336