If you've ever used a package manager like npm or yarn, you're familiar with files that are auto-generated by those package managers. package-lock.json is generated by npm and yarn.lock is generated by yarn.
So, I'm sure many of you have wondered:
What exactly is the purpose of that file?
Why must it be committed to git?
What happens if you delete the lockfile or don't include it in git?
If you delete it, there's no immediate impact anyway.
Okay, let me explain and give you examples from my production experience at Seller Center Bukalapak. I'll explain what a lockfile is and when it started being implemented in the JavaScript world.
When and Why Lock Files Exist in the JavaScript World
Lock files were introduced by Yarn when it was first released, followed by npm in version 5.
It all started with a common problem. When we create a Node project on our computer, everything runs smoothly after installing all the dependencies the project needs. But on another computer, it won't run even though the steps are exactly the same.
How is that possible?
Well, it's definitely possible. Why can this happen? There are many possibilities, but let's focus on lock files. This can happen because of JavaScript's rapid development.
For example, suppose we have a package called p1 listed in package.json like this:
{
"dependencies": {
// ...
"p1": "^1.0.0"
// ...
}
}
On the first computer, exactly version p1@v1.0.0 gets installed and runs normally without issues. But on the second computer, the package releases a new version on npm as p1@v1.1.0 and has errors everywhere. Well, that's likely what's causing the error.
Yup, lock files appeared to handle this problem. To ensure the installed packages match what's in the lock file. Let me explain it simply:
- When we install dependency p1@v1.0.0 on the first computer, yarn/npm will automatically create a lock file stating that p1 must be v1.0.0
- After that, commit and push with the lock file
- When another computer runs to install dependencies, it first checks if there's a lock file in the project. If there is, it will use the versions listed in the lock file.
- If there isn't one, it will create a new lock file.
Why Lock Files Must Be Committed
Okay, if you're coding alone, you don't necessarily need to commit it. But it's different when you're in a team and coding together—then it's mandatory to include it in the files that must be committed. Why?
As explained above, to avoid package mismatches between different computers that would cause the code to fail. You don't want code that only works on your computer; that would make you look selfish wanting to code alone. 🙊
TLDR
Lock files are very important when you're not coding alone, and they prevent dependency version mismatches that could cause the project to fail with different dependency versions. So it's definitely mandatory to include it in commits.
Credits
- https://unsplash.com/@mmayyer
- https://jpospisil.com/2017/06/02/understanding-lock-files-in-npm-5.html
Blog
Creating a Basic Server Using NodeJS and ExpressJS
Previously, we learned how to create a web server using only NodeJS. This time, we'll try how to create a web server using ExpressJS, one of the most widely used frameworks in NodeJS.
Learning NodeJS: How to Install NodeJS on Windows, MacOS, and Linux Ubuntu
If you want to build a modern web application, you'll likely need NodeJS. Here I will explain how to install NodeJS on Windows, MacOS, and Linux Ubuntu.