yes +1 On Thu, Aug 2, 2018 at 4:28 AM Chris Brody <chris.br...@gmail.com> wrote: > > I think we should start to commit package-lock.json in the next major > release but am not 100% sure. My understanding is that > package-lock.json mostly serves a couple major purposes: > * preserve the structure of node_modules cross-platform > * use SHA numbers to verify correct packages > > There seem to have been changes between npm@4 (??), npm@5, and npm@6, > as described in the following: > * https://github.com/npm/npm/issues/20434 (npm@5 vs npm@6) > * https://jpospisil.com/2017/06/02/understanding-lock-files-in-npm-5.html > > From what I read I think npm@5 & npm@6 would continue to follow the > semver rules for packages specified in package.json. > > Major advantages I can think of: > * better consistency for cross-platform development > * no need to regenerate package-lock.json for npm audit check > > But I can think of the following possible disadvantages to consider: > * not as easy to update dependencies, probably not possible to just > update dependencies by hand > * some additional "noise" in the git history, shouldn't be too bad though > * possibly major: in case people work on different dependency changes > in parallel and want to merge by git merge, rebase, or cherry-pick > dealing with the package-lock.json changes may not be so clean > > and a counter-point: > * > https://www.codementor.io/johnkennedy/get-rid-of-that-npm-package-lock-json-e0bj7ai42 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > For additional commands, e-mail: dev-h...@cordova.apache.org >
--------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
