1

I have a NodeJS project published on GitHub that uses a few NPM modules, as specified in my package.json. I have my package-lock.json committed into the repo.

Recently I got notices on my repository about a recently-discovered security vulnerability in one of my dependencies. Upon further inspection, it wasn't one of my direct dependencies that had a vulnerability but rather a module that one of my dependencies is dependent on. Because all the modules show up in my package-lock.json, the notice comes up telling me to update that dependency to the latest version.

- myproject
  - someDependency
  - anotherDependency
    - aSubDependency
    - anotherOne <--- this one has a security issue

So now I have to question: Is it worth committing a package-lock.json? I wouldn't have any security vulnerabilities in my project if I didn't have a package-lock.json. Now, I am forced to update my project and republish simply to update the package-lock.json. If that file wasn't there at all, the problem would fix itself because anyone who does an install or update of my project using ONLY the package.json would automatically get the updated dependency from up the stream.

Think about it like this. Bob creates moduleA. Then someone else creates moduleB that is dependent on moduleA. Then 1000 developers out in the world create various projects that directly are dependent on moduleB. If Bob discovers a security vulnerability in moduleA, now 1000 people have to make an update to their 1000 projects just to fix this all because they were committing their package-lock.json.

So it is worth it? Do the advantages of package-lock.json outweigh the drawbacks in this topic?

Jake Wilson
  • 78,902
  • 83
  • 230
  • 344
  • 2
    Without checking that in and using it, you could run into issues of "it works on my box" since you could (will?) be using different versions of everything. Using that helps to make sure that everywhere the software is ran is using the same version of 3rd party libraries. – Daniel W Strimpel Oct 15 '19 at 19:26
  • 1
    Possible duplicate of [Do I commit the package-lock.json file created by npm 5?](https://stackoverflow.com/questions/44206782/do-i-commit-the-package-lock-json-file-created-by-npm-5) – SpeedOfRound Oct 15 '19 at 19:27
  • what if moduleB is specifying a specific version of moduleA? Anyone just using package.json will install the bad moduleA – Dan Oct 15 '19 at 19:27
  • To add to this question: what are you supposed to do when a submodule has a vulnerability but its parent module has a hard reference to the outdated module. Do I include the submodule in my package.json or create an issue on the parent's repo? – Woodsy Oct 15 '19 at 19:31

1 Answers1

2

Yes, it worth

This file is intended to be committed into source repositories, and serves various purposes:

  • Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.

  • Provide a facility for users to “time-travel” to previous states of node_modules without having to commit the directory itself.

  • To facilitate greater visibility of tree changes through readable source control diffs.

  • And optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages.

See npm documentation

See GitHub - "Viewing and updating vulnerable dependencies in your repository"

Roman Mahotskyi
  • 1,372
  • 10
  • 27