I have a NodeJS project published on GitHub that uses a few NPM modules, as specified in my package.json
. I have my package-lock.json
committed into the repo.
Recently I got notices on my repository about a recently-discovered security vulnerability in one of my dependencies. Upon further inspection, it wasn't one of my direct dependencies that had a vulnerability but rather a module that one of my dependencies is dependent on. Because all the modules show up in my package-lock.json
, the notice comes up telling me to update that dependency to the latest version.
- myproject
- someDependency
- anotherDependency
- aSubDependency
- anotherOne <--- this one has a security issue
So now I have to question: Is it worth committing a package-lock.json
? I wouldn't have any security vulnerabilities in my project if I didn't have a package-lock.json
. Now, I am forced to update my project and republish simply to update the package-lock.json
. If that file wasn't there at all, the problem would fix itself because anyone who does an install
or update
of my project using ONLY the package.json
would automatically get the updated dependency from up the stream.
Think about it like this. Bob creates moduleA
. Then someone else creates moduleB
that is dependent on moduleA
. Then 1000 developers out in the world create various projects that directly are dependent on moduleB
. If Bob discovers a security vulnerability in moduleA
, now 1000 people have to make an update to their 1000 projects just to fix this all because they were committing their package-lock.json
.
So it is worth it? Do the advantages of package-lock.json
outweigh the drawbacks in this topic?