Should I include package-lock.json in source control?

Should I include package-lock.json in source control? The short answer is yes, always.

Share This Post

Share on linkedin
Share on facebook
Share on twitter
Share on email

The question is simple: should I include package-lock.json in source control? In other words, should it be part of your git source code, or not?

If you are just looking for an answer, then that answer is yes. However, we also want to give you an explanation.

The package-lock.json file should always be part of your source control. Never put it into .gitignore.

Why include package-lock.json in source control?

We already covered in detail the package-lock.json file in this post. In short, it is a JSON file that lists the full dependency tree of your JavaScript application. In other words, if you are using external packages and libraries, you can find them listed in this file. What is most interesting, however, is that you can also see the dependencies of such packages. The process is repeated until you only have to require packages with no other dependency.

The package-lock.json does not simply list the tree of packages. It also indicates the specific version of each. It is a complete snapshot of the dependencies of your application, right now.

If the application is working, you know that this configuration of dependencies is working. Say that, later, some third-party updates its own packages and your application breaks, you can trace back the issue. If you don’t include package-lock.json file into source control, you’ll have no idea which module broke the whole thing.

Many developers just include the package.json file (without lock) in their source control. That file must be included, but it shouldn’t be the only one. In fact, the package.json file only tracks direct dependencies. If a dependency of a dependency changes, you can only see that in your package-lock.json. That’s why you need to track both files.

To recap, you should always include both package.json and package-lock.json in your source control. Thus, never put them in the .gitignore file. In this way you can keep track of the configuration of dependencies of your application. Ultimately, this maximizes portability and predictability.

Alessandro Maggio

Alessandro Maggio

Project manager, critical-thinker, passionate about networking & coding. I believe that time is the most precious resource we have, and that technology can help us not to waste it. I founded ICTShore.com with the same principle: I share what I learn so that you get value from it faster than I did.
Alessandro Maggio

Alessandro Maggio

Project manager, critical-thinker, passionate about networking & coding. I believe that time is the most precious resource we have, and that technology can help us not to waste it. I founded ICTShore.com with the same principle: I share what I learn so that you get value from it faster than I did.

Join the Newsletter to Get Ahead

Revolutionary tips to get ahead with technology directly in your Inbox.

Alessandro Maggio

2019-10-24T16:30:28+00:00

Unspecified

JavaScript

Unspecified

Want Visibility from Tech Professionals?

If you feel like sharing your knowledge, we are open to guest posting - and it's free. Find out more now.