Should I upload the package-lock.json file to github?

Asked

Viewed 474 times

1

I know the folder node_modules should not be sent to the github, then add it to the file .gitignore... but what about the file package-lock.json q have a lot of information? It is safe to send it to the github? Or should I just send the file package.json and exclude the package-lock.json? And if I shouldn’t send it, how do I remove the ones I’ve already sent?

  • 2

    It should, because it will guarantee exactly the versions used in the original, because sometimes people add a package with a version schema like 1.*, which may be conflicting if there is an update from 1.1 to 1.2, for example, which does not always keep the version, then the ideal is yes to use the lock, of course you can use the versioning of packages well, but if it is something that will work with more people this could complicate, then the lock can help avoid problems.

1 answer

2


It is recommended yes. This ensures that the version of the dependencies will always be the same regardless of the environment in which the application is configured.

Usually when we install dependencies using npm install dependency The version ends up with some level of wildcard. Here we already had problems with dependencies with different versions, in style: Project was implemented, and the dependency x was installed in version 1.2.3, after a few months, when deploying for production, was going with version 1.2.15, and this was causing problems in the production project. I know that supposedly nothing should happen, because in the concept of semver, is that changes in the last digit should not influence, but we cannot guarantee that all dependencies are versioning correctly.

That is, the recommended is always package-lock.json, and keep it always up to date with every addition, update and removal of project dependencies.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.