Netlify-cms: Package has both yarn.lock and package-lock.json

Created on 25 Jul 2018  路  9Comments  路  Source: netlify/netlify-cms

This package seems to be mixing use of yarn and npm. With the advent of yarn 1.7.0 we were given the ability to import package-lock.json from npm into yarn.

It's recommended that we choose one package manager and stick to it throughout the project, to prevent confusion. In the contributing.md, yarn is recommended to be installed, but then is never used within the instructions. In the package.json file npm is chosen over yarn within the scripts.

I also think that we should not maintain two lock files.

Are there any thoughts on this?

dev experience discussion enhancement pinned
Source
picture giraffesyo
👍2

Most helpful comment

@erquhart I thought Yarn was pretty much required for Lerna workspaces?

picture tech4him1 on 23 Aug 2018
👍2

All 9 comments

I was planning on using Renovate to keep both lock files up to date, but after reading up a bit the consistency issues are best avoided. Choosing to support one or the other is tough, but sounds like we should.

If yarn users have the option of running import locally, that makes package-lock.json an appealing choice, but the extra step for yarn users is an annoying prospect, especially considering that it's currently our primary.

Anyone up for running some comparison tests between the two and posting results here?

erquhart picture erquhart on 23 Aug 2018

@erquhart I thought Yarn was pretty much required for Lerna workspaces?

tech4him1 picture tech4him1 on 23 Aug 2018
👍2

It sort of is - I could have sworn I had an idea on how to just use the npm lockfile even with that being the case, but can't recall now. Not seeing precedent of checking in package-lock.json in any of the better known Lerna projects.

erquhart picture erquhart on 27 Aug 2018

Yarn can import package-lock.json now -- but there are still differences: https://yarnpkg.com/blog/2018/06/04/yarn-import-package-lock/. Some packages will be on different versions after importing. The post ends with:

We highly recommend you to delete the package-lock.json file if you decide to use yarn in order to avoid future confusion and possible consistency issues.

tech4him1 picture tech4him1 on 1 Sep 2018

Just for clarification: workspaces are Yarn Workspaces and Lerna takes advantage of this structure using yarn.

talves picture talves on 1 Sep 2018
👍1

Yup, exactly. It seems like Lerna has it's own code to handle workspaces without Yarn -- it's not as nice, though. See https://github.com/lerna/lerna/pull/899.

tech4him1 picture tech4him1 on 1 Sep 2018

I have a React web app that keeps generating those files on Github repo even though I've deleted them from my local repo and explicitly said to exclude them in my .gitnore file. These two files have over 60 vulnerbilities that I'm getting auto fixes for. Any idea and how I can stop them from being uploaded?

LayersOfAbstraction picture LayersOfAbstraction on 30 Jul 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 29 Oct 2019

We should just drop package-lock.json. With our yarn dependency due to workspaces, documentation should be updated to indicate yarn rather than npm.

Regarding vulnerabilities, we should be in much better shape now if you're on the latest version. The bots are here to save us all.

erquhart picture erquhart on 8 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

noelmace picture noelmace  路  3Comments
andresalerno picture andresalerno  路  3Comments
jake-101 picture jake-101  路  3Comments
emckay picture emckay  路  3Comments
chriskirknielsen picture chriskirknielsen  路  3Comments