Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Delete package-lock.json #211

Merged
merged 1 commit into from Apr 23, 2018
Merged

Delete package-lock.json #211

merged 1 commit into from Apr 23, 2018

Conversation

fenichelar
Copy link
Contributor

@fenichelar fenichelar commented Apr 22, 2018
edited

Fixes #209. package-lock.json historically has not been included in fsevents. Including this file breaks this approach for releases.

@fenichelar fenichelar mentioned this pull request Apr 22, 2018
Closed
@billyjanitsch
Copy link

Deleting package-lock.json does not address the issue you linked, and doesn't necessarily fix #209. package-lock.json is never published to npm and has no effect on dependency resolution at install time. Instead, it ensures that anyone developing the package has the same local dependency tree.

However, fsevents bundles its dependency on node-pre-gyp, which means that whichever version of node-pre-gpy happens to be installed on a developer's machine when they run npm publish gets published as part of the package. This essentially fixes the dependency to an exact version, despite the caret range in package.json. This does affect fsevents's install-time dependency tree, and happens regardless of whether a package-lock.json is present.

The difference is that with a package-lock.json, the version that exists on the publisher's machine (i.e. the one that gets bundled) is deterministic, which is a good thing: you know exactly which version will be bundled regardless of who runs npm publish and when. It would be very odd not to keep a package-lock.json if fsevents continues to bundle that dependency. But if you want to avoid fixing the dependency at install time entirely, the solution is not to delete package-lock.json but to stop bundling the dependency. (I'm not sure why it was bundled in the first place.)

@fenichelar
Copy link
Contributor Author

fenichelar commented Apr 23, 2018
edited

@billyjanitsch I didn't do an exhaustive search, but it appears that strongloop does not include the package-lock.json file in any of the repositories I found on GitHub (not sure why). Did you see @es128 comments to this? Specifically, he said "Just do a fresh install". I think it is safe to assume they have no plans of pinning dependency versions... I understand how it works and I agree with you that this is a better option, but I don't think it is likely to be accepted.

@fenichelar
Copy link
Contributor Author

fenichelar commented Apr 23, 2018
edited

Also, the package-lock file was added in the most recent commit. I think it was added by mistake.

@es128
Copy link
Contributor

es128 commented Apr 23, 2018

The lockfile did actually sneak in by mistake. I think it got pulled in when I used the npm version command.

@es128 es128 merged commit 05a1854 into fsevents:master Apr 23, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@fenichelar @billyjanitsch @es128