Should I commit yarn.lock and package-lock.json files?

Question

We're using yarn for all our deterministic pkg installations but don't prevent the user from using npm - I'm guessing having both these files will cause issues however. Should one be added to your .gitignore dir?

Possible duplicate of [Should I commit the yarn.lock file and what is it for?](https://stackoverflow.com/questions/39990017/should-i-commit-the-yarn-lock-file-and-what-is-it-for) — Aurora0001, Jun 17 '17 at 10:29

Robin Winslow · Answer 1 · 2019-02-22T10:14:41.330

Always commit dependency lock files in general

As is covered elsewhere, dependency lock files, which are supported by many package management systems (e.g.: composer and bundler), should be committed to the codebase in end-of-chain projects - so that each individual trying to run that project is doing so with exactly the tested set of dependencies.

It's less clear whether lock files should always be committed into packages that are intended to be included in other projects (where looser dependencies are desirable). However, both Yarn and NPM (as covered by @Cyrille) intelligently ignore yarn.lock and package-lock.json respectively where necessary, making it safe to always commit these lockfiles.

So you should always commit at least one of yarn.lock or package-lock.json depending on which package manager you're using.

Should you commit both yarn.lock and package-lock.json?

At present we have two different package management systems, which both install the same set of dependencies from package.json, but which generate and read from two different lockfiles. NPM 5 generates package-lock.json, whereas Yarn generates yarn.lock.

If you commit package-lock.json then you're building in support for people installing your dependencies with NPM 5. If you commit yarn.lock, you're building in support for people installing dependencies with Yarn.

Whether you choose to commit yarn.lock or package-lock.json or both depends on whether those developing on your project are only using Yarn or NPM 5 or both. If your project is open-source, the most community-friendly thing to do would probably be to commit both and have an automated process to ensure yarn.lock and package-lock.json always stay in sync.

Update: Yarn have now introduced an import command which will generate a yarn.lock file from a package-lock.json file. This could be useful for keeping the two files in sync. (Thanks @weakish)

This issues was discussed at length on the Yarn project in:

Both are now closed.

Great answer. However, regarding your point: _"The safest thing to do would be to generate and commit them both every time your dependencies change."_ I'm not sure why this would be the "safest" thing to do. As you mentioned, it's very likely that _"the two files might get out-of-sync."_ @crimbo's answer explains this problem in more detail. — TachyonVortex, Oct 26 '17 at 09:49
I think this might be a difference in whether you get to control all the people that run your project. If you own the team, sure, standardise on Yarn and use yarn.lock. *But* if it's an open source project (like all ours) people may well be using NPM on your projects, even though you use Yarn internally. So the ideal safest thing to do would be to use an automated system to ensure both yarn.lock and package-lock.json would remain in sync. And also put pressure on Yarn to switch to package-lock.json. — Robin Winslow, Oct 27 '17 at 15:54
`yarn import` was introduced in 2018. https://yarnpkg.com/blog/2018/06/04/yarn-import-package-lock/ — weakish, Feb 13 '19 at 08:00

score 21 · Answer 2 · answered Oct 05 '17 at 16:20

You should commit 1 dependency tree lock file, but you shouldn't commit both. This also requires standardizing on either yarn or npm (not both) to build + develop a project with.

Here's the yarn article on why yarn.lock should be committed, if you standardize on yarn.

If you commit both the yarn.lock file, AND the package-lock.json files there are a lot of ways that the 2 files can provide different dependency trees (even if yarn's and npm's tree resolution algorithms are identical), and it's non-trivial to ensure that they provide exactly the same answer. Since it's non-trivial, it's unlikely that the same dependency tree will be maintained in both files, and you don't want different behavior depending on whether the build was done using yarn or npm.

If and when yarn switches from using yarn.lock to package-lock.json (issue here), then the choice of lock file to commit becomes easy, and we no longer have to worry about yarn and npm resulting in different builds. Based on this blog post, this is a change we shouldn't expect soon (the blog post also describes the differences between yarn.lock and package-lock.json.

score 14 · Answer 3 · edited May 13 '19 at 20:05

I was thinking about the same question. Here are my thoughts, hope it helps :

The npm package-lock.json documentation says the following :

package-lock.json is automatically generated for any operations where npm modifies either the node_modules tree, or package.json. It describes the exact tree that was generated, such that subsequent installs are able to generate identical trees, regardless of intermediate dependency updates.

This is great because it prevents the "works on my machine" effect.

Without this file, if you npm install --save A, npm will add "A": "^1.2.3" to your package.json. When somebody else runs npm install on your project, it is possible that the version 1.2.4 of A has been released. Since it is the latest available version that satisfies the semver range specified in your package.json, it will install this version. But what if there's a new bug introduced in this version ? This person will have a problem that you can't reproduce because you have the previous version, without any bug.

By fixing the state of your node_modules directory, package-lock.json file prevents this problem because everybody will have the same versions of every packages.

But, what if you're writing and publishing a npm module ? The documentation says the following :

One key detail about package-lock.json is that it cannot be published, and it will be ignored if found in any place other than the toplevel package.

So, even if you commit it, when the user installs your module, he/she will not get the package-lock.json file, but only the package.json file. So npm will install the latest version that satisfies the semver ranges of all your dependencies. It means that you always want to test your module with theses verions of your dependencies, and not the one you installed when you started writing your module. So, in that case, package-lock.json is clearly useless. More, it can be annoying.

ravinggenius · Answer 4 · 2017-07-16T04:35:52.637

7

Here's my rule of thumb: if you are working on an application, commit the lock file(s). If you are maintaining a library, add it to your ignored list. Either way you should be using accurate semver ranges in package.json. Yehuda Katz (cached) wrote a great explanation for when to commit Gemfile.lock (Ruby's lock file) and when to not. At least read the tl;dr section.

edited Jul 16 '17 at 04:35

answered Jun 19 '17 at 16:12

ravinggenius

724
4
14

The link is broken. – Juha Syrjälä Jul 14 '17 at 09:18
Thanks @JuhaSyrjälä. I added a second link to the article. – ravinggenius Jul 16 '17 at 04:37
Where is the ignore list for npm or yarn? – neves Mar 26 '18 at 22:31
"ignore list" will be specific to your project's source repository (git, mercurial, Subversion). In the case of git, the file is called `.gitignore`, and is typically at the root of the project. – ravinggenius Apr 13 '18 at 15:05

score 6 · Answer 5 · answered Sep 07 '18 at 15:50

You're correct! Allowing both npm and yarn to be used is going to cause issues. Take a look at this article.

Currently, we’re planning to add some warnings to users who use both yarn and npm in the same repository to install packages.

We highly recommend you to delete the package-lock.json file if you decide to use yarn in order to avoid future confusion and possible consistency issues.

You may not want both npm and yarn as your package manager.

score 2 · Answer 6 · answered Jun 16 '17 at 03:28

These files are managed by your tools, so–assuming using yarn will effectively update the package-lock.json–I suppose committing both files works fine.

I think the most important for your user is package-lock.json (I, for instance, don't use yarn) so this one has to be committed.

For the yarn.lock, it depends if you work alone or in a team. If solo, then I suppose there is no need to commit it. If you (plan to) work in a team, then you probably should commit it, at least until yarn supports it

I suppose the yarn team will eventually stop using yarn.lock and use package-json.lock instead, at this time it will become simpler

The didn't stop using yarn.lock. – jayarjo Feb 08 '19 at 17:22 — jayarjo, Feb 08 '19 at 17:22

score 0 · Answer 7 · answered Sep 27 '18 at 19:33

No, using both lock files simultaneously will most often result in inconsistencies in your dependency tree, especially when collaborating on a team. Ignoring one lock or the other is a simple solution. Just make sure your team understands and agrees with this change.

Should I commit yarn.lock and package-lock.json files?

7 Answers7

Always commit dependency lock files in general

Should you commit both yarn.lock and package-lock.json?

Linked