Ask HN: Should you commit package-lock.json?

For an application, yes, commit the lock file. TL:DR; use “npm ci”, not “npm i”.<p>This has several benefits; a) You know if a test fails, you broke something. Not a bug caused by dep shift. b) Your team is using same versions of deps during dev (reduces “works on my computer” moments) c) Your builds are more reproducible. You can be more confident that you can exactly build say, last month’s version of the app and have it work the same way it did back then.<p>Re: the noise problem, recommend using “npm ci” as the default and “npm i” only where you’re planning to update deps. This is less work than “freezing” stuff in package.json and also addresses the problem of transitive deps (the deps if your deps, which you would not really want to put in package.json anyway).<p>Use npm audit to detect stuff that <i>needs</i> updating and treat periodic dep updates as a janitorial task. When you do updates, make a PR with just the dep updates (plus any changes needed for them to work) and make sure all the tests pass. You can mostly automate this.<p>As a side note, the docs explicitly call out that the file is intended to be committed: <a href="https:&#x2F;&#x2F;docs.npmjs.com&#x2F;files&#x2F;package-lock.json" rel="nofollow">https:&#x2F;&#x2F;docs.npmjs.com&#x2F;files&#x2F;package-lock.json</a>

Have you looked at yarn? From my experience yarn does not change its lock file unless you explicitly change your dependencies.