Suggestion: Ignore composer.lock and package-lock.json files. about wprig HOT 6 CLOSED

I've not known it to be "the best practice".

And yes, the intent of the lock files is to ensure every developer has the dependencies. However, in practice, it doesn't stack up as the files do change.

Let's take a look at few very popular repos around GitHub to see if they include the lock files.

• React - no package-lock.json file in the repo
• Jest - no package-lock.json file in the repo
• Redux - yes - the package-lock.json file is included
• Vuejs - no package-lock.json file in the repo
• Laravel - no composer.lock file in the repo + it's ignored in the .gitignore file
• Symfony - no composer.lock file is in the repo + it's ignored.

from wprig.

Isn't the best practice to keep the lock files in the repositories to ensure every developer has the same dependencies regardless of the local setup?

from wprig.

For the time being I would like to keep the .lock files in place to enforce some level of control. This is consistent with how most projects I've interacted with does things, and as @spencerfinnell pointed out, it is considered best-practice.

I'm closing this issue and the associated PR for now. Let's revisit when WP Rig has made the rounds and we start getting some feedback from the community.

from wprig.

Here’s the Composer website talking about how you should commit your lock file: https://getcomposer.org/doc/01-basic-usage.md#commit-your-composer-lock-file-to-version-control

from wprig.

@hellofromtonya some of the projects you listed use yarn. Your first example React has a yarn.lock in the root, which is always checked in.

from wprig.

From https://github.com/npm/npm/blob/latest/doc/files/package-lock.json.md

This file is intended to be committed into source repositories, and serves various purposes:

from wprig.