Do I commit package-lock.json
Do I commit the `package-lock.json` file created by npm 5?Yes, you SHOULD:
- commit the
package-lock.json.- use
npm ciinstead ofnpm installwhen building your applications both on your CI and your local development machineThe
npm ciworkflow requires the existence of apackage-lock.json.
blog.logrocket.com: Why you should use package-lock.jsonMake sure you don’t change
package-lock.jsondirectly. That’s being handled automatically by NPM. It reflects changes made topackage.jsontopackage-lock.jsonand keeps it up to date.However, this only happens if you use NPMs’ CLI to make changes. If you manually change
package.json, don’t expectpackage-lock.jsonto update. Always use the CLI commands, like install, uninstall, etc.
stackoverflow.com: What is the difference between “npm install” and “npm ci”?Use npm install to add new dependencies, and to update dependencies on a project. Usually, you would use it during development after pulling changes that update the list of dependencies but it may be a good idea to use npm ci in this case.
Use npm ci if you need a deterministic, repeatable build. For example during continuous integration, automated jobs, etc. and when installing dependencies for the first time, instead of npm install.
Conclusion
Don’t use npm install without arguments to fetch dependencies — use npm ci for that. You can use the npm install to install specific dependencies.
Use npm ci everywhere when you only want the local dependencies tree — even on your local development environment.