0

Let's say I have a package version (eg: express) in my package.json "express":"1.2"

If any one else works on my module, they will be getting the 1.2 version, why would I need to be checking the package lock?
If the version is not mentioned, then i agree.

The answers seem to mention, in order to make sure that everyone who works on the project gets the same version, that's why the lock needs to be checked in.

Oliver Nybo
  • 560
  • 1
  • 6
  • 24
Parameswar
  • 1,951
  • 9
  • 34
  • 57
  • 2
    Possible duplicate of [Should I commit yarn.lock and package-lock.json files?](https://stackoverflow.com/questions/44552348/should-i-commit-yarn-lock-and-package-lock-json-files) – E_net4 May 08 '19 at 12:12

1 Answers1

0

The package-lock.json file is an attempt to ensure that the packages used by developers match the packages used in another important environment: production.

It is also to ensure that any changes to the versions used in production are deliberate, have an opportunity to be reviewed, and can easily be rolled back by building and deploying an older version of the application's source.

Note that including a version of 1.2 in the dependencies in package.json tells npm that it may select the latest version that begins with 1.2.

Even though the version difference would suggest a non-breaking change, there's nothing really preventing the express developers from breaking the package between the hypothetical versions 1.2.0 and 1.2.1, so it's important to ensure that the move between these versions is deliberate and easily reversible.

ctt
  • 1,405
  • 8
  • 18