377

Yarn creates a yarn.lock file after you perform a yarn install.

Should this be committed to the repository or ignored? What is it for?

Aurora0001
  • 10,827
  • 5
  • 47
  • 50
rlay3
  • 8,052
  • 6
  • 27
  • 21
  • 4
    IMHO, this question (and most of the below answers) are incomplete due to missing the question of, "How and when should we regenerate the yarn.lock file?" – MarkHu Jun 21 '18 at 19:49
  • 2
    Do you know now how and when? – jayarjo Oct 18 '18 at 10:29
  • @MarkHu found it here: https://yarnpkg.com/lang/en/docs/yarn-lock/#toc-managed-by-yarn So basically: `Your yarn.lock file is auto-generated and should be handled entirely by Yarn. As you add/upgrade/remove dependencies with the Yarn CLI, it will automatically update your yarn.lock file. ` – jayarjo Oct 18 '18 at 12:25
  • Related: https://stackoverflow.com/questions/45614973/how-to-have-yarn-fail-on-yarn-install-when-package-json-and-yarn-lock-are-out-of – k0pernikus Dec 09 '19 at 17:33

9 Answers9

347

Yes, you should check it in, see Migrating from npm

Why is it for?
The npm client installs dependencies into the node_modules directory non-deterministically. This means that based on the order dependencies are installed, the structure of a node_modules directory could be different from one person to another. These differences can cause works on my machine bugs that take a long time to hunt down.

Yarn resolves these issues around versioning and non-determinism by using lock files and an install algorithm that is deterministic and reliable. These lock files lock the installed dependencies to a specific version and ensure that every install results in the exact same file structure in node_modules across all machines.

Junaid
  • 3,203
  • 1
  • 23
  • 31
ckuijjer
  • 11,335
  • 3
  • 36
  • 43
  • 40
    Nice find. I've a found the following from their [docs](https://code.facebook.com/posts/1840075619545360/yarn-a-new-package-manager-for-javascript/) that answers "what is it for?": "The npm client installs dependencies into the node_modules directory non-deterministically. This means that based on the order dependencies are installed, the structure of a node_modules directory could be different from one person to another. These differences can cause “works on my machine” bugs that take a long time to hunt down." – rlay3 Oct 12 '16 at 23:31
  • 16
    Continued: "Yarn resolves these issues around versioning and non-determinism by using lockfiles and an install algorithm that is deterministic and reliable. These lockfiles lock the installed dependencies to a specific version, and ensure that every install results in the exact same file structure in node_modules across all machines." – rlay3 Oct 12 '16 at 23:31
  • Instead of saying "no lockfile found". It should just say "Generating yarn.lock file". Duh :) It's not an error, but the former sounds like an error. And the latter will be alarming enough for anyone in the inverse scenario, (where they expect to have a yarn.lock file, but apparently don't). – Alexander Mills Dec 03 '16 at 09:57
  • 9
    I appreciate yarn.lock is locking our project to specific package versions, but I do feel the use of the word "lock" is unfortunate. Usually [lock files](https://en.wikipedia.org/wiki/File_locking#Lock_files) (such as [.ldb](https://support.microsoft.com/en-sg/help/966848/what-is-an-ldb-file)) are a means of limiting a resource to one process at a time to prevent the corruption interceding updates can cause. Such lock files should definitely not be committed to version control, which is possibly where most of the confusion about yarn.lock stems from. – Antony Jun 27 '17 at 12:55
  • 3
    I really don't like the phrase "you don't need to read or understand this file". This is an important file to maintain your project. – Nathan Goings Jul 10 '19 at 19:42
  • `yarn install` will mutate the `yarn.lock` file though on default. To ensure it checks packlage.json and yarn.lock are in sync and does not just update a dependency, you rather should install dependencies via `yarn install --frozen-lockfile`. I use this when developing and on my CI servers. Only if I want to update packages to update, I use `yarn install`. See: https://github.com/yarnpkg/yarn/issues/4147 – k0pernikus Sep 27 '19 at 11:07
107

Depends on what your project is:

  1. Is your project an application? Then: Yes
  2. Is your project a library? If so: No

A more elaborate description of this can be found in this GitHub issue where one of the creators of Yarn eg. says:

The package.json describes the intended versions desired by the original author, while yarn.lock describes the last-known-good configuration for a given application.

Only the yarn.lock-file of the top level project will be used. So unless ones project will be used standalone and not be installed into another project, then there's no use in committing any yarn.lock-file – instead it will always be up to the package.json-file to convey what versions of dependencies the project expects then.

VoxPelli
  • 2,290
  • 1
  • 14
  • 22
  • 9
    On the other hand, would not having the lock file in library projects influence the reproducibility of their respective tests? – SE_net4 the downvoter Nov 22 '16 at 19:35
  • 1
    If I read your description correctly, than "Is your project a library?" could be answered with "If you want". It doesn't seem to have downsides, but could be useful, if you have complex devDependencies and you want every developer of your lib to have the same build and tests scripts. Right? – Pipo Nov 23 '16 at 12:10
  • 5
    As the lock file won't be respected for any users of your library, then relying on it when developing the library could give a false sense of security – VoxPelli Nov 23 '16 at 12:11
  • 1
    Dart has the same system with pubspec.yaml and pubspec.lock and recommends the same as in the answer. See [this](http://stackoverflow.com/questions/16136739/in-dart-and-pub-should-i-add-pubspec-lock-to-my-gitignore) question and [this](https://www.dartlang.org/tools/pub/glossary#application-package) documentation entry. – Jonas Kello Dec 02 '16 at 17:25
  • 21
    Please see this entry in Yarn's official blog: [Lock files should be committed on all projects](https://yarnpkg.com/blog/2016/11/24/lockfiles-for-all) – SE_net4 the downvoter Dec 02 '16 at 17:45
  • For reference: Influential node.js developers like Sindre Sorhus has shared similar thoughts: https://github.com/sindresorhus/ama/issues/479#issuecomment-310661514 – VoxPelli Aug 16 '19 at 16:26
  • Note: The lead maintainer of Yarn objects to this: https://twitter.com/arcanis/status/1164229994165559299 – VoxPelli Sep 09 '19 at 09:19
76

I see these are two separate questions in one. Let me answer both.

Should you commit the file into repo?

Yes. As mentioned in ckuijjer's answer it is recommended in Migration Guide to include this file into repo. Read on to understand why you need to do it.

What is yarn.lock?

It is a file that stores the exact dependency versions for your project together with checksums for each package. This is yarn's way to provide consistency for your dependencies.

To understand why this file is needed you first need to understand what was the problem behind original NPM's package.json. When you install the package, NPM will store the range of allowed revisions of a dependency instead of a specific revision (semver). NPM will try to fetch update the dependency latest version of dependency within the specified range (i.e. non-breaking patch updates). There are two problems with this approach.

  1. Dependency authors might release patch version updates while in fact introducing a breaking change that will affect your project.

  2. Two developers running npm install at different times may get the different set of dependencies. Which may cause a bug to be not reproducible on two exactly same environments. This will might cause build stability issues for CI servers for example.

Yarn on the other hand takes the route of maximum predictability. It creates yarn.lock file to save the exact dependency versions. Having that file in place yarn will use versions stored in yarn.lock instead of resolving versions from package.json. This strategy guarantees that none of the issues described above happen.

yarn.lock is similar to npm-shrinkwrap.json that can be created by npm shrinkwrap command. Check this answer explaining the differences between these two files.

bennygenel
  • 20,219
  • 5
  • 51
  • 71
Juriy
  • 4,591
  • 8
  • 32
  • 51
  • 1
    But I see `yarn.lock` being updated now and then, do you know why and when `yarn` does that? – jayarjo Oct 18 '18 at 12:20
  • 1
    Yarn issues [#4379](https://github.com/yarnpkg/yarn/issues/4379) and [#4147](https://github.com/yarnpkg/yarn/issues/4147) suggest that `yarn` updates `yarn.lock` in many cases, including running `yarn install` without changes to package.json. Using `yarn install --frozen-lockfile` as suggested in [Why does running yarn on windows changes yarn.lock](https://stackoverflow.com/questions/51669211/why-does-running-yarn-on-windows-changes-yarn-lock) (or configuring it via `.yarnrc`) seems like the best bet. – Lauri Harpf May 10 '19 at 04:56
  • npm nowadays has a `package-lock.json` and a `npm ci`. That workflow is analogous yarn's `yarn.lock` and `yarn install --frozen-lockfile`. – k0pernikus Sep 27 '19 at 11:20
12

You should:

  1. add it to the repository and commit it
  2. use yarn install --frozen-lockfile and NOT yarn install as a default both locally and on CI build servers.

(I opened a ticket on yarn's issue tracker to make a case to make frozen-lockfile default behavior, see #4147).

Beware to NOT set the frozen-lockfile flag in the .yarnrc file as that would prevent you from being able to sync the package.json and yarn.lock file. See the related yarn issue on github

yarn install may mutate your yarn.lock unexpectedly, making yarn claims of repeatable builds null and void. You should only use yarn install to initialize a yarn.lock and to update it.

Also, esp. in larger teams, you may have a lot of noise around changes in the yarn lock only because a developer was setting up their local project.

For further information, read upon my answer about npm's package-lock.json as that applies here as well.

This was also recently made clear in the docs for yarn install:

yarn install

Install all the dependencies listed within package.json in the local node_modules folder.

The yarn.lock file is utilized as follows:

  • If yarn.lock is present and is enough to satisfy all the dependencies listed in package.json, the exact versions recorded in yarn.lock are installed, and yarn.lock will be unchanged. Yarn will not check for newer versions.
  • If yarn.lock is absent, or is not enough to satisfy all the dependencies listed in package.json (for example, if you manually add a dependency to package.json), Yarn looks for the newest versions available that satisfy the constraints in package.json. The results are written to yarn.lock.

If you want to ensure yarn.lock is not updated, use --frozen-lockfile.

k0pernikus
  • 41,137
  • 49
  • 170
  • 286
  • While true, the only time I can think that you would _have_ to use `--frozen-lockfile` is if someone manually updated package.json without subsequently running `yarn install` and committing the updates. So a CI might want to use that flag, but developers should not because it hides the issues. – jkrehm Feb 03 '20 at 21:40
  • @jkrehm Depends on what you mean by hiding issues. I had more trouble with unexpectedly changed `yarn.lock` files introduced by `yarn install`, either by bloating pull requests, or by causing unnecessary merge conflicts, or by pulling a breaking library. (Only because a library uses semvar, doesn't mean an patch / minor update won't break your app -- I have been there). I consider updating `yarn.lock` should only be a manual step, which is why I rely on `yarn install --frozen-lockfile` (and `npm ci` on npm projects) even on my dev machine as it is reliable and deterministic. – k0pernikus Feb 04 '20 at 09:46
  • 1
    I've never had an issue with `yarn.lock` getting updated unexpectedly (been using since Oct 2016 when it came out). It's always been a user doing something manually or a lousy post-install script. It's the reason I prefer Yarn over NPM (NPM updates everything any ol' time it wants). I guess I'll consider myself fortunate to not have run into those issues. – jkrehm Feb 07 '20 at 17:37
10

I'd guess yes, since Yarn versions its own yarn.lock file: https://github.com/yarnpkg/yarn

It's used for deterministic package dependency resolution.

jarekwg
  • 319
  • 1
  • 8
9

From My experience I would say yes we should commit yarn.lock file. It will ensure that, when other people use your project they will get the same dependencies as your project expected.

From the Doc

When you run either yarn or yarn add , Yarn will generate a yarn.lock file within the root directory of your package. You don’t need to read or understand this file - just check it into source control. When other people start using Yarn instead of npm, the yarn.lock file will ensure that they get precisely the same dependencies as you have.

One argue could be, that we can achieve it by replacing ^ with --. Yes we can, but in general, we have seen that majority of npm packages comes with ^ notation, and we have to change notation manually for ensuring static dependency version.But if you use yarn.lock it will programatically ensure your correct version.

Also as Eric Elliott said here

Don’t .gitignore yarn.lock. It is there to ensure deterministic dependency resolution to avoid “works on my machine” bugs.

Anshul
  • 8,324
  • 9
  • 53
  • 70
7

Yes, You should commit it. For more about yarn.lock file, refer the official docs here

Navin prasad
  • 556
  • 7
  • 12
5

Not to play the devil's advocate, but I have slowly (over the years) come around to the idea that you should NOT commit the lock files.

I know every bit of documentation they have says that you should. But what good can it possibly do?! And the downsides far outweigh the benefits, in my opinion.

Basically, I have spent countless hours debugging issues that have eventually been solved by deleting lock files. For example, the lock files can contain information about which package registry to use, and in an enterprise environment where different users access different registries, it's a recipe for disaster.

Additionally, the lock files can really mess up your dependency tree. Because yarn and npm create a complex tree and keep external modules of different versions in different places (e.g. in the node_modules folder within a module in the top node_modules folder of your app), if you update dependencies frequently, it can create a real mess. Again, I have spent tons of time trying to figure out what an old version of a module was still being used in a dependency wherein the module version had been updated, only to find that deleting the lock file and the node_modules folder solved all the hard-to-diagnose problems.

I even have shell aliases now that delete the lock files (and sometimes node_modules folders as well!) before running yarn or npm.

Just the other side of the coin, I guess, but blindly following this dogma can cost you........

nerdlinger
  • 381
  • 5
  • 14
  • 1
    "an enterprise environment where different users access different registries" I think _that_ in itself is a recipe for disaster. A project should share the same registries across all users, or you will get problems. – Vincent McNabb May 04 '21 at 20:11
  • Couldn't agree more, seems like the problem is with your enterprise setup, not with the lock file. – Chris May 06 '21 at 18:22
4

Yes! yarn.lock must be checked in so any developer who installs the dependencies get the exact same output! With npm [that was available in Oct 2016], for instance, you can have a patch version (say 1.2.0) installed locally while a new developer running a fresh install might get a different version (1.2.1).

enapupe
  • 10,639
  • 3
  • 24
  • 41
  • 1
    The npm behaviour you mentioned depends on how you save your dependencies. If you save with `--save-exact` when using npm, you can achieve the same behaviour. – AlicanC Oct 12 '16 at 18:05
  • 4
    @AlicanC I don't think it's that simple. I believe yarn (through a committed lock file) will guarantee the same version of packages *and all their dependencies as well*. This is something NPM has always had a problem with, because a dependency of a dependency might not be pinned to a specific version, so a new install might pull in different lower-level dependencies. NPM shrinkwrap was supposed to solve this issue to some extent, but it was always tricky and very often doesn't work correctly. – nextgentech Oct 12 '16 at 20:56
  • @nextgentech If in that case how do i make sure that the dependency of the dependency is updated properly. Suppose if i have a main package which has some (say 3) dependent packages. I will watch for the changes in my main package and update it in the package.json. But if any of the 3 sub package is updated by them how will i get the changes? Because of the lock file those dependencies will not be updated right? – Pragatheeswaran Oct 20 '16 at 16:05
  • I haven't messed around with it a whole lot yet, but I believe that is where the `yarn upgrade` command comes into play. This command will upgrade all packages and recreate the lock file. So, for example, if you are deploying an app to production and need to install the dependencies it would do so based on the lock file pulled down from the repository. You should never run `yarn upgrade` unless you are explicitly wanting to change dependency information (and thus commit a new lock file). – nextgentech Oct 20 '16 at 19:33
  • `yarn install` won't ensure same versions. Only `yarn install --frozen-lockfile` does. – k0pernikus Sep 27 '19 at 11:14