npm and yarn: does package.json have the priority over lockfile? - javascript

Let's consider npm 5.3.0+.
Imagine I've just created package.json in empty directory and run npm i. Then I've edited package versions in package.json. At this point, package.json is inconsistent with package-lock.json.
Question: what happens if I run npm i again? Which file would be the source of truth? In npm docs I've found only a vague statement "Whenever you run npm install, npm generates or updates your package lock".
Same question for yarn.

I've got the similar problem while using yarn. Here are some ideas maybe helpful to you,
If yarn.lock is present and is enough to satisfy all the dependencies listed in package.json, the exact versions recorded in yarn.lock are installed, and yarn.lock will be unchanged. Yarn will not check for newer versions.
If yarn.lock is absent, or is not enough to satisfy all the dependencies listed in package.json (for example, if you manually add a dependency to package.json), Yarn looks for the newest versions available that satisfy the constraints in package.json. The results are written to yarn.lock.
https://classic.yarnpkg.com/en/docs/cli/install/
Which file would be the source of truth?
It depends on whether version of 3rd party package in yarn.lock satisfies package
version's limitation in package.json. If it is, the yarn.lock file is "the source of truth"; otherwise, it should be package.json.

Related

package-lock.json not updated after removing a package from package.json?

If i manually add a package to package.json and then run npm install, my package-lock.json gets updated with that new package's dependencies.
However, if i then manually delete that package from package.json from npm install, that package's dependencies are not removed from package-lock.json.
So - package-lock.json only gets modified when adding/updating packages in package.json? Not when removing?
This is a known issue with npm.
See issue :package-lock.json file not updated after package.json file is changed
" For now I'm working around it by changing my npm install command to rm -f package-lock.json && npm install. Obviously, that's not an elegant solution, and somewhat defeats the purpose of having a lockfile in the first place."
rm -f package-lock.json && npm install
This is supposed to be fixed in : https://github.com/npm/npm/pull/17508
See article : https://medium.com/coinmonks/everything-you-wanted-to-know-about-package-lock-json-b81911aa8ab8 for a better understanding.
Removal of package-lock.json should be only done in case of corrupted lock file. To remove package you should just use npm cli (it will update lock file)
npm uninstall <package>
This is a good explanation. https://stackoverflow.com/a/54127283/5040275
From the NodeJs docs
The package-lock.json sets your currently installed version of each package in stone, and npm will use those exact versions when running npm install.
NPM by default will read the package-lock.json file.
Therefore, in the first scenario, npm is reading the package entry from package.json since that's the only file which has an entry of the particular package.
Whereas in the second scenario, it is reading it from package-lock.json, as is its default behaviour

my installed packages got lost in node_modules

In my project i'm using git and node_modules folder is obviously ignored. i was working branch1 and added some dependencies(e.g redux) and installed them via npm install. then i switched to branch2 which was created same time with branch1 and now it has some different dependencies than branch1. i used npm install again inorder to install those packages.
so here is what happened: when i came back to branch1 none of my already installed packages during working in branch1 were found. i expected that 'cause node_modules is ignored both of branches packages exist. i had to run npm install again although i installed them before.
so my question is what caused this? is it git doing sth? or npm does sth?
Here’s a hypothetical scenario that may help explain:
On branch 1 you install “A”. It gets saved to node_modules and you commit changes to the package.json and package-lock.json.
You checkout branch 2, causing your package.json and package-lock.json to no longer have “A” - although your node_modules are left untouched (gitignored), meaning “A” is still there.
You run npm install on branch 2, which uses your package.json and package-lock.json to update your node_modules per their specifications. Because they don’t have “A”, it gets removed from your node_modules.
You checkout branch 1, and again your node_modules are unaffected by this git checkout - this means you’ll need to run “npm install” again to get “A” back in node_modules.

Bumping package-lock.json and packge.lock at the same time?

Prior to publishing to NPM I need to bump the minor version. What I usually do is:
- Change package.json
- Run npm i which syncs package-lock.json with the change. Now both can be published.
Is there a way to do this with a single NPM command?
Use npm version.
For example, the following command
npm version 1.0.2
will bump both package.json and package-lock.json to 1.0.2
The following command
npm i -S <module>#<version>
installs the specific version of the given module.
-S or --save tells npm to save the reference of the module + version into both package.json and package-lock.json
It depends on the granularity of control you want to have. For example, if you just want to check for an update on an individual module you can run: npm update <pkg>. As this command will update your package.json file to save the newest version of this <pkg> as the now required version to build your project. Alternatively, you could run npm update to update all your project's top-level packages. Ok so those are the more general use cases but if you want a specific version of a package and you know the version of which you desire you can do the following: npm i --save <pkg>#<version> as this command will grab the package specified by your version number as well as update the package.json file to include this version of package as now being required to build your project. This will eliminate the need to first update the package.json file and then installing the newer version of said package, rather this will be condensed down to one step. Lastly, just for thoroughness the package-lock.json file is dynamically generated when you make important changes to your project, such as requiring new dependencies or updating existing dependencies. This file kind of serves as source of truth so others can build your project and have the same setup as you, for more information on this file take a look at the npm docs
Hopefully that helps!

Workflow with package-lock.json

Ok so I have an npm project at my work that a bunch of us are working on. It has dependencies on 'lodash' and 'jquery'.
I do an >npm install, and it pulls down my deps. Then I bundle it.
That creates a 'package-lock.json' on my system.
Now another developer adds a new dependency on 'moment'.
He does a >npm install -S moment.
That adds it to his package.json, and he checks that in. We don't check in the package-lock.json.
Now I do a 'git pull' and get the new package.json.
Now I do >npm install, BUT because I have my own package-lock.json, it doesnt install 'moment' for me. So now I have to:
>rm package-lock.json
>npm install
And now I have 'moment'. Seems like this package-lock.json isn't really helping my workflow. Could I get an explanation of how this should work for developers on a day-to-day basis, if we are all developing on a common npm module?
First, according to npm documentation:
This file is intended to be committed into source repositories
so you should commit your initial package-lock.json after you've done npm install.
Another developer pulls your changes, including the lockfile.
Then he does npm -S moment, which makes updates to both package.json and package-lock.json. The developer pushes a commit with these changes.
Now you pull his changes and do npm install. It should install moment for you . Furthermore, you both should now have exactly the same version of moment and it's dependencies installed - even if between his and your installs minor version of some dependency was incremented.
Merge conflicts
It all gets messy when both of you have installed new dependencies in parallel and then have a conflict on package-lock.json. This may be a huge file and quite a pain to merge manually. I haven't seen documented any official way of dealing with it. There is even an open issue in npm repo to provide solution to resolving conflicts.
One user shares his workaround workflow in the issue thread there, which basically means: override your local changes with package.json and package-lock.json pulled from master, then apply all your npm install -S and npm remove -S commands again. This seems to be a reasonable solution until the issue is resolved by npm.

Is it possible to generate a `yarn.lock` file without installing the packages?

I need to generate a yarn.lock file from my package.json but I want to avoid node_modules creation. Is it possible?
EDIT: Please check the comment below for a solution without the need for any additional package thanks to #talon55 : npm install --package-lock-only; yarn import
Old answer:
This is actually one of the few features that NPM has (npm install --package-lock-only) and Yarn does not support.
It is a heavily requested feature as you can tell from these 2 open Github issues: 5738 and 2340
I stumbled upon the command yarn generate-lock-entry documented in here but it definitely does not do what we are looking for.
The workaround I would suggest is generating an NPM lock file and converting it to a yarn.lock file using synp:
npm install -g synp
npm install --package-lock-only
synp --source-file package-lock.json
Please note that Synp requires the the packages to be installed and that the node_modules is rightly populated. This may, or may not be, a problem to your use case.
Available since yarn v3.0.0-rc.10
yarn install --mode update-lockfile
yarn generate-lock-entry > yarn.lock

Categories