When Not to Use Lock Files with Node.js

Post Details

Company

Twilio

Date Published

May 16, 2019

Author

Dominik Kundel

Word Count

1,556

Language

English

Hacker News Points

43

Source URL

www.twilio.com/en-us/blog/lockfiles-nodejs

Summary

Lock files in npm and yarn are designed to manage dependencies for applications, but they can cause issues when publishing libraries or CLIs to the npm registry. Lock files list exact versions of dependencies and their nested dependencies, which can lead to different versions being used by developers and users. Publishing a module to npm involves packaging and uploading files, including lock files, which are ignored during installation. To avoid the "works on my machine" effect when publishing libraries, it's recommended to disable lock file generation and use shrinkwrap.json instead, which pins dependencies at a specific version. This approach requires careful consideration, as it may block critical patch fixes.