You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It has been pointed out previously in this project that lockfiles should not be included in a library project. As for myself, I had my doubts. I was wondering, because the majority of JS/TS library projects out there include lockfiles.
I did some research on this to be sure, and it seems that in the old node.js it was better not to include it. However, modern practice is that lock files should be managed even in library projects. This is to ensure that developers share the same dependencies. You mentioned that you were concerned that the behaviour might break when the dependent library versioned up, in which case the problem should be solved if we specify the appropriate version in package.json and make the fix!
Also, without a lockfile, we do not know which package manager (npm?yarn?pnpm?bun?) you are using for your project. This is very important to ensure reproducibility. Once we have experienced that different pnpm and npm have different build outputs, I think it is important to know which package manager you are using to build your project. You can use like npx only-allow pnpm in prepare script in package.json, but still lockfile is important for contributors.
Make no mistake, this issue is a proposal to improve the project and our collaboration. I'm excited to get the project going with you.
The text was updated successfully, but these errors were encountered:
Hi @samchon
Include lock files in your projects.
It has been pointed out previously in this project that lockfiles should not be included in a library project. As for myself, I had my doubts. I was wondering, because the majority of JS/TS library projects out there include lockfiles.
I did some research on this to be sure, and it seems that in the old node.js it was better not to include it. However, modern practice is that lock files should be managed even in library projects. This is to ensure that developers share the same dependencies. You mentioned that you were concerned that the behaviour might break when the dependent library versioned up, in which case the problem should be solved if we specify the appropriate version in package.json and make the fix!
Here are some sources I found:
This file is intended to be committed into source repositories)Also, without a lockfile, we do not know which package manager (npm?yarn?pnpm?bun?) you are using for your project. This is very important to ensure reproducibility. Once we have experienced that different pnpm and npm have different build outputs, I think it is important to know which package manager you are using to build your project. You can use like
npx only-allow pnpmin prepare script inpackage.json, but still lockfile is important for contributors.Make no mistake, this issue is a proposal to improve the project and our collaboration. I'm excited to get the project going with you.
The text was updated successfully, but these errors were encountered: