package.json and package-lock.json are not in sync

[ghost]

Trying to install exact versions of dependencies with npm ci fails with the following error

npm ci can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with npm install before continuing.

yarn.lock file is in sync with package.json, so running yarn install or yarn install --frozen-lockfile works without any issues

[monlovesmango]

running npm install is in the readme instructions if you want to use npm. does npm ci not work after you ran npm install?

i've only been using yarn lately. is that bad practice?

[ghost]

It is not recommended to have both the package-lock.json and yarn-lcok (and pnpm-lock etc) in a project. Running npm install updates the package-lock.json and installs updated versions of packages which can lead to issues, because packages can have patches with breaking or malicious changes, either by mistake or deliberately. For that reason, you want people (and CI/CD tools) to install the exact same versions of packages that you have used while developing.

If you update the package-lock.json with npm install, then even though npm ci will work, you will not know if people are running your versions of packages, if you exclusively use yarn for development.

[monlovesmango]

would it be acceptable to remove package-lock.json entirely? I don't want to be mixing yarn and npm install, apparently you aren't supposed to do that.

sorry if these questions are dumb. I will do more research on best practices around this when I find time.

[ghost]

Yes, you can remove package-lock.json entirely from the project. But then make sure to update the readme asking people to install yarn first before proceeding: npm install -g yarn