Should I commit yarn.lock and package-lock.json files?

npm package yarnpkg
Artimus picture Artimus · Jun 14, 2017 · Viewed 60.7k times · Source

We're using yarn for all our deterministic pkg installations but don't prevent the user from using npm - I'm guessing having both these files will cause issues however. Should one be added to your .gitignore dir?

Answer

Robin Winslow picture Robin Winslow · Jul 4, 2017

Always commit dependency lock files in general

As is covered elsewhere, dependency lock files, which are supported by many package management systems (e.g.: composer and bundler), should be committed to the codebase in end-of-chain projects - so that each individual trying to run that project is doing so with exactly the tested set of dependencies.

It's less clear whether lock files should always be committed into packages that are intended to be included in other projects (where looser dependencies are desirable). However, both Yarn and NPM (as covered by @Cyrille) intelligently ignore yarn.lock and package-lock.json respectively where necessary, making it safe to always commit these lockfiles.

So you should always commit at least one of yarn.lock or package-lock.json depending on which package manager you're using.

Should you commit both yarn.lock and package-lock.json?

At present we have two different package management systems, which both install the same set of dependencies from package.json, but which generate and read from two different lockfiles. NPM 5 generates package-lock.json, whereas Yarn generates yarn.lock.

If you commit package-lock.json then you're building in support for people installing your dependencies with NPM 5. If you commit yarn.lock, you're building in support for people installing dependencies with Yarn.

Whether you choose to commit yarn.lock or package-lock.json or both depends on whether those developing on your project are only using Yarn or NPM 5 or both. If your project is open-source, the most community-friendly thing to do would probably be to commit both and have an automated process to ensure yarn.lock and package-lock.json always stay in sync.

Update: Yarn have now introduced an import command which will generate a yarn.lock file from a package-lock.json file. This could be useful for keeping the two files in sync. (Thanks @weakish)

This issues was discussed at length on the Yarn project in:

Both are now closed.

Related questions

Find the version of an installed npm package

How to find the version of an installed node.js/npm package? This prints the version of npm itself: npm -v <package-name> This prints a cryptic error: npm version <package-name> This prints the package version on …

Read More
How to clean node_modules folder of packages that are not in package.json?

Assume I install project packages with npm install that looks into package.json for modules to be installed. After a while I see that I don't need some specific module and remove its dependency from package.json. Then I remove …

Read More
What is the difference between --save and --save-dev?

What is the difference between: npm install [package_name] and: npm install [package_name] --save and: npm install [package_name] --save-dev What does this mean? And what is really the effect of --save and -dev keywords?

Read More