Now tracked in: https://github.com/apache/cordova/issues/4
On Thu, Aug 2, 2018 at 6:14 AM Jan Piotrowski <piotrow...@gmail.com> wrote: > +1 - everything that modernizes the tooling that can be used and > actually uses its added functionality is a win. > > 2018-08-02 7:43 GMT+02:00 Chris Brody <chris.br...@gmail.com>: > > Just raised https://issues.apache.org/jira/browse/CB-14248 > > > > Thanks for the helpful responses > > On Thu, Aug 2, 2018 at 12:12 AM Shazron <shaz...@gmail.com> wrote: > >> > >> yes +1 > >> On Thu, Aug 2, 2018 at 4:28 AM Chris Brody <chris.br...@gmail.com> > wrote: > >> > > >> > I think we should start to commit package-lock.json in the next major > >> > release but am not 100% sure. My understanding is that > >> > package-lock.json mostly serves a couple major purposes: > >> > * preserve the structure of node_modules cross-platform > >> > * use SHA numbers to verify correct packages > >> > > >> > There seem to have been changes between npm@4 (??), npm@5, and npm@6, > >> > as described in the following: > >> > * https://github.com/npm/npm/issues/20434 (npm@5 vs npm@6) > >> > * > https://jpospisil.com/2017/06/02/understanding-lock-files-in-npm-5.html > >> > > >> > From what I read I think npm@5 & npm@6 would continue to follow the > >> > semver rules for packages specified in package.json. > >> > > >> > Major advantages I can think of: > >> > * better consistency for cross-platform development > >> > * no need to regenerate package-lock.json for npm audit check > >> > > >> > But I can think of the following possible disadvantages to consider: > >> > * not as easy to update dependencies, probably not possible to just > >> > update dependencies by hand > >> > * some additional "noise" in the git history, shouldn't be too bad > though > >> > * possibly major: in case people work on different dependency changes > >> > in parallel and want to merge by git merge, rebase, or cherry-pick > >> > dealing with the package-lock.json changes may not be so clean > >> > > >> > and a counter-point: > >> > * > https://www.codementor.io/johnkennedy/get-rid-of-that-npm-package-lock-json-e0bj7ai42 > >> > > >> > --------------------------------------------------------------------- > >> > To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > >> > For additional commands, e-mail: dev-h...@cordova.apache.org > >> > > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > >> For additional commands, e-mail: dev-h...@cordova.apache.org > >> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > > For additional commands, e-mail: dev-h...@cordova.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > For additional commands, e-mail: dev-h...@cordova.apache.org > >
