The role of the Lockfile

1. Ensure that stable dependency trees are generated each time install locks dependencies and versions of dependencies.

2. Increase the speed of install. Yarn and NPM both have optimization strategies such as adapting and extracting common dependency versions, flattening dependencies, and the existence of lockfile can save computation time.

Package – lock. Json and yarn. The lock

yarn.lock

Generate and update policies as follows:

  • If yarn.lock does not exist, install the dependency and generate yarn.lock.
  • If yarn.lock exists and matches the version range in package.json, yarn.lock remains unchanged and yarn does not check for a new version.
  • If yarn.lock does not meet all dependencies in package.json, Yarn searches for the latest available version that meets the constraints in package.json and updates yarn.lock.

package-lock.json

NPM has added lockfile by default since version 5.0, but the implementation of lockfile has changed in earlier versions:

1. For version 5.0.x, no matter how package.json changes, the lock file will be downloaded during install.

After 5.1.0, NPM install will ignore the lock file and download the latest NPM package.

3. After 5.4.2, the performance is consistent with yarn.lock.

Correct use of Lockfile posture

1. Commit each lockfile update

For example, if yarn adds a new dependency, commit the package.json and yarn.lock changes at the same time, so that the next developer does not discover the lockfile update when installing.

2. Don’t mix package management tools

For example, the package management tool of the project is yarn and the lockfile is yarn.lock. If NPM install some-dependency is executed, package.json will be updated and a package-lock.json will be created, but yarn.lock will not be updated.

3. — The use of frozen-lockfile

Even with the presence of a lockfile, there is no guarantee that each dependency installed in a continuous integration environment will be the same as when it was developed, because there may be cases where package.json and lockfile version numbers do not match and the dependency version needs to be updated. This can be avoided by using –frozen-lockfile.

yarn --frozen-lockfile
# or
npm ci
Copy the code

The preceding two commands have similar functions. The dependency is installed only when lockfile exists and the dependency version matches package.json; otherwise, an error is reported. This forces developers to resolve dependencies at development time.

4. Use the yarn/ NPM mechanism to resolve lockfile conflicts during code merging

Versions after [email protected] and [email protected] provide automatic resolution of lockfile conflicts by executing the install command after a merge conflict occurs instead of manually resolving lockfile conflicts.

Yarn or NPM installCopy the code

5. [Recommended] Use YARN.

NPM and YARN have been learning from each other for a long time. Except for certain differences in CLI commands, other features are very similar. The difference between NPM installation speed and YARN installation speed is becoming smaller and smaller.

However, as mentioned above, there are differences in lockfile policies between earlier versions of NPM, which may result in inconsistent dependencies depending on the NPM version in different environments. Yarn does not have this concern.