I've noticed this repeatedly recently, and it doesn't seem right to me, but maybe I'm misunderstanding, or there's some other underlying issue.My understanding is package-lock.json file ensures that the same version of a specific dependency is installed each time, so a subsequent install of the project on a different machine occurs, we as developers can be sure that we're working with the same version of dependencies, so if a new version of the dependency is released (and matches our semver specification in package.json) we won't automatically pick up that one instead, potentially leading to different behaviour between machines.What I'm finding is that when I'm checking out a new project, and run a standard npm i, it's making changes to package-lock.json. Now most of these are adding an integrity and/or dev field into some entries - now I'm thinking this is just due to people working with slightly older versions of npm which do not add those fields when installing new dependencies, which is more understandable.What I can't understand is why it will remove entire dependencies at times (I'm talking specifically about fs-events), now I think that fs-events doesn't get installed on my machine, because Windows, where as it might get installed on our Mac developer machines. Okay, that's fine, it's not compatible with my OS, so I don't get the actual dependency installed, not a problem, but what it then does is remove the entire entry out of package-lock.json, along with any items it depends on that no other dependency does - which does not seem okay, because on committing that change, I'm changing the dependency graph for the Mac developers, who then might get a different version of fs-events the next time they install from fresh.What am I missing here? Or is this just a flaw with package-lock.json and npm? I've never encountered this issue when using yarn, but it was decided for work projects that we would use npm instead of yarn.
Submitted February 22, 2018 at 07:36AM by Nysosis
No comments:
Post a Comment