We've always recommended devs to use npm ci, which needs a committed package-lock.json file specifying versions.
However, that always causes troubles when someone tries to add a new package, as they have to commit a completely new lock file and we can't humanly review the changes. If the file is not committed, the lock file stays broken and future users face problems.
I'm proposing we change back for devs to use npm install. To keep the consistent versions of dependencies, we can change the package.json to have specific versions instead of the ^ notation that allows this command to install any version above the asked one.
New packages should be added only with specific versions so we don't have too many changes.
We've always recommended devs to use
npm ci, which needs a committedpackage-lock.jsonfile specifying versions. However, that always causes troubles when someone tries to add a new package, as they have to commit a completely new lock file and we can't humanly review the changes. If the file is not committed, the lock file stays broken and future users face problems.I'm proposing we change back for devs to use
npm install. To keep the consistent versions of dependencies, we can change the package.json to have specific versions instead of the ^ notation that allows this command to install any version above the asked one. New packages should be added only with specific versions so we don't have too many changes.