search

julianhille / MuhammaraJS

Muhammara a node module with c/cpp bindings to modify PDF with js for node or electron (based/replacement on/of galkhana/hummusjs)
Other
205 stars 41 forks source link

Add `package-lock.json` file #337

Closed ericbf closed 8 months ago

ericbf commented 8 months ago

This file should be committed to the repo. This commit adds the lockfile as recommended.

Fixes #336

julianhille commented 8 months ago

im afraid, this file should not be committed to the repository in this case and rather when you use it to main repository. The issue is that muhammara support a very wide range of node and electron version for different platforms architectures and clibs. This multiple times to the issue that a version works with a but not with b and when you try to fix that it workd for a and b but not for C anymore. The main versions to be used are in the package version the rest should npm/yarn/lerna decide what best fits your actual package.

ericbf commented 8 months ago

The package-lock.json file is not published with the package, but it’s intended to be committed to the repository:

This file is intended to be committed into source repositories...One key detail about package-lock.json is that it cannot be published, and it will be ignored if found in any place other than the toplevel package.

Source: https://docs.npmjs.com/cli/v6/configuring-npm/package-lock-json#description

The package-lock.json is intended to be committed, meaning it's designed in such a way as to be compatible with a wide range of node, electron, platform, or clib versions. It affects the development environment, as in, if someone clones the muhammara repo and installs local dependencies, and it guarantees that the same dependency versions are used for development.

Additionally, npm install will always install the latest version of dependencies that match the semver range when the package-lock.json isn’t present, taking no account of the architecture or anything. If the latest version includes a bug or vulnerability, it will be pulled in regardless of compatibility. In a perfect world, that would be fine, but sometimes other packages have broken versions, or don’t perfectly follow semver and introduce breaking changes in minor or patch releases. In those cases, using a package-lock.json ensures that all users that locally install dependencies in a repo install the same versions of dependencies.

NPM is inherently designed to work with a wide range of platforms, and they recommend committing the package-lock.json. In actual fact, it doesn’t reduce portability, it improves it by preventing broken versions from unknowingly being installed for some users but not for others.

julianhille commented 8 months ago

yes you are right, i was thinking about releasing it. we had major issues when we released them so i removed it. but yes inside the repository this would work. sorry for the misunderstanding.