breautek commented on pull request #879: URL: https://github.com/apache/cordova-lib/pull/879#issuecomment-917674737
There was a consensus back in 2018 via https://github.com/apache/cordova/issues/4#issuecomment-420728477 to add package-locks, which is why variety of our packages have package-locks. If you ask my personal opinion on package-locks, I hate them, mostly for the reasons described by sindresorhus. However, not committing them still presents the same issues described by sindresorhus, unless we (the maintainers) are constantly wiping the package-lock & node_modules and reinstalling from scratch. We could configure NPM via `.npmrc` to disable package locks so they won't be generated in the first place but this also have a few consequences: 1. node_modules are not automatically pruned if package-locks are disabled. They can be manually pruned via `npm prune`. 2. NPM installs will be slower (however not sure how significant since most cordova repos are fairly small anyway) 3. npm ci command requires package-lock or shrinkwrap, so CI workflows may have to be updated accordingly to use `npm install` instead. 4. npm audit I believe also requires package-lock or shrinkwrap Despite it's flaws I think the benefits of package-lock still outweighs the consequences of not committing/disabling package-lock. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
