Decide how we want to handle package-lock.json (and yarn.lock)

[salcode]

We should either add this file to .gitignore because all of our dependencies are part of our build process and we want the latest version and if it breaks it is not catastrophic OR we should check this file in (which should be its own commit).

To complicate things, I've started using yarn rather than npm, which generates yarn.lock instead.

It seems kind of heavy to have two different lock files included, so I guess I'm leaning towards adding both of these files to .gitignore (but I'm open to other opinions).

[atcraigwatson]

I have done a quick read of the docs for both yarn.lock and package-lock.json and they both suggest that they should be under source control.

However, in the case of cloning the repo and downloading the packages you can use npm install --no-package-lock or yarn install --no-lockfile.

This says to me, drop it in the .gitignore, like you say it's part of the build process of the theme and you want the latest version.

[salcode]

Thanks for doing the leg work on reading those docs.

This says to me, drop it in the .gitignore, like you say it's part of the build process of the theme and you want the latest version.

Cool, let's plan to add them both to .gitignore

[salcode]

I've updated the title of this issue, now that we have a game plan.

[atcraigwatson]

@salcode

This could be something to consider if there is a way to do this for yarn as well.

https://www.codementor.io/johnkennedy/get-rid-of-that-npm-package-lock-json-e0bj7ai42