NPM v5 supports shrinkwrapping dependencies <http://blog.npmjs.org/post/161081169345/v500> via a "package-lock.json" lockfile (example <https://gerrit.wikimedia.org/r/#/c/403724/1/package-lock.json>). Should we generally be committing these lockfiles or ignoring them in Wikimedia repos?
The downsides of lockfile usage that I'm aware of are: 1. No CI support yet. (CI simply ignores this file when installing dependencies because it uses an older version of NPM.) 2. Platform differences can create different lockfiles for optional dependencies but it's a known issue <https://github.com/npm/npm/issues/17722>. 3. Developers must remember to use NPM v5 or greater when adding or updating dependencies. 4. The format is a bit verbose. The pros of lockfiles are: 1. Considered best practice and the default behavior of NPM. 2. The officially supported use case for reproducible builds. The topic is tracked in T179229 <https://phabricator.wikimedia.org/T179229> but there's lots of activity around lockfiles <https://phabricator.wikimedia.org/search/query/NFhYM5EmMLlB/#R> outside of it. Stephen _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
