Comments (3)
Personally I'm a fan of having the package-lock.json
since it lets you install quickly using npm ci
, and lets you audit the package.
It shouldn't result in anyone downloading any extra packages afaik?
from audit-ci.
That's true, but only for people checking out this repo, not when using the published package.
If other transitive dependencies have 3.0.1 in their package-lock.json
npm
never uses the package-lock.json
when installing into node_modules
- it implicitly excludes the file when packing (even if you try to explicitly include it), and if you publish a package with it by say packing manually, npm
will just ignore it at install time 🙂
In the situation you describe, both npm & yarn should remove the 3.0.0
package in favor of 3.0.1
if it satisfies the constraints of both consuming packages.
(This is the main area where npm & yarn differ in their locks: npm strives for the most accurate tree possible, whereas yarn aims for the most deduplicated, so in these situations yarn can result in slightly few packages as it'll choose to downgrade/not-upgrade instead of have two packages installed when adding a package to an existing tree)
from audit-ci.
Thank you for your input!
It could result in someone downloading extra versions of the same package. If in audit-ci's package.json
there's a package with ^3.0.0
but has the package's version set to 3.0.0
in package-lock.json
, then it will always download 3.0.0
. If other transitive dependencies have 3.0.1
in their package-lock.json
then yarn/npm
will install both 3.0.0
and 3.0.1
, which is probably unnecessary.
I am still leaning towards keeping the package-lock.json
for the reasons you mentioned, but am still open to more discussion :)
from audit-ci.
Related Issues (20)
- Cannot convert undefined or null to object Exiting HOT 9
- Support allowlisting private packages by module HOT 7
- Recommend pinning to commit SHA or release tag HOT 3
- Add expiration time for allow list items HOT 1
- Allow notes for allowlist items HOT 2
- [Feature] Support Gitlab SAST report-type HOT 2
- Let the severity level influence the json output HOT 1
- Fail on unmatched ignores HOT 1
- Invalid JSON config file when using new allowlist NSPRecord syntax HOT 3
- Add support for registry flag for PNPM HOT 1
- Support Yarn's `--exclude` HOT 2
- Handle errors from Yarn Berry more gracefully HOT 2
- Tests should include all major Yarn versions HOT 2
- packages starting with "@" are not working in allowlist HOT 2
- Replace event-stream with something secure and supported HOT 4
- The audit report format changed? HOT 2
- CI commands fail because no version 7 HOT 1
- Support Yarn v4 HOT 6
- v7 ignores command line arguments HOT 2
- SyntaxError: The requested module 'yargs/yargs' does not provide an export named 'default' HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from audit-ci.