I think we should start to commit package-lock.json in the next major release but am not 100% sure. My understanding is that package-lock.json mostly serves a couple major purposes: * preserve the structure of node_modules cross-platform * use SHA numbers to verify correct packages
There seem to have been changes between npm@4 (??), npm@5, and npm@6, as described in the following: * https://github.com/npm/npm/issues/20434 (npm@5 vs npm@6) * https://jpospisil.com/2017/06/02/understanding-lock-files-in-npm-5.html >From what I read I think npm@5 & npm@6 would continue to follow the semver rules for packages specified in package.json. Major advantages I can think of: * better consistency for cross-platform development * no need to regenerate package-lock.json for npm audit check But I can think of the following possible disadvantages to consider: * not as easy to update dependencies, probably not possible to just update dependencies by hand * some additional "noise" in the git history, shouldn't be too bad though * possibly major: in case people work on different dependency changes in parallel and want to merge by git merge, rebase, or cherry-pick dealing with the package-lock.json changes may not be so clean and a counter-point: * https://www.codementor.io/johnkennedy/get-rid-of-that-npm-package-lock-json-e0bj7ai42 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
