Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
With NPM version 5 a package-lock.json
file is created automatically when adding dependencies. Since we are using Yarn to manage Node.js dependencies, we want to avoid an accidental inclusion of a package-lock.json
in patches by developers that have accidently used NPM.
Proposed resolution
Add package-lock.json
to .gitignore
.
Comment | File | Size | Author |
---|---|---|---|
#17 | 2881697-17.patch | 373 bytes | GrandmaGlassesRopeMan |
#17 | interdiff-2881697-0-17.txt | 243 bytes | GrandmaGlassesRopeMan |
#2 | ignore-package-lock.patch | 266 bytes | droplet |
Comments
Comment #2
droplet CreditAttribution: droplet commentedComment #3
nod_should we switch back to npm5 once it's out instead of yarn? lots of improvments
Comment #4
droplet CreditAttribution: droplet commentedStill don't know how well the package-lock.json is.
Yarn still faster than npm@5 on my testing.
With warm caching and installed packages (node_modules). Yarn only took 1 sec to re-check the dependencies but npm@5 took 6 sec (Including command exit time)
Comment #5
droplet CreditAttribution: droplet commentedYarn maintainers give us some direction. Although, that's not much. @see: https://yarnpkg.com/blog/2017/05/31/determinism/
Comment #6
GrandmaGlassesRopeManYarn still appears to be faster in the testing I've done. I don't really have a preference, but we have written all the docs pointing to yarn.
Comment #7
droplet CreditAttribution: droplet commentedYeah, I think we can commit this patch first. v8 just released but still a few months away from the LTS version.
nodejs <-> io.js
npm <-> Yarn
Drupal is quite similar to the older NODEJS / NPM development style. Moving very slowly (and they think that's the best development way already). No idea which new competitor could give Drupal some pressure, haha!
Comment #8
GrandmaGlassesRopeMan@droplet
Yeah. I think it's this fall, somewhere in the 8.x release cycle. Otherwise, 👍
Comment #9
lauriiiDoesn't this only happen if you use
npm install
? Why should we make this change if we are currently trying to make people using yarn for installing packages?Comment #10
droplet CreditAttribution: droplet commented@lauriii,
Good Question!
I think for some reason, developers may run `npm install developer-helper`. Actually, some packages will fail to install on Yarn. Or say if you're a PHP developer, run Yarn or NPM won't affect the patching :)
Comment #11
cilefen CreditAttribution: cilefen commentedCould someone please explain in a few more words in the issue summary why package-lock.json is a bad thing?
Comment #12
GrandmaGlassesRopeManComment #13
cilefen CreditAttribution: cilefen commentedAh!
Comment #14
cilefen CreditAttribution: cilefen commentedComment #15
GrandmaGlassesRopeMan👏 👍
Comment #16
lauriiiSorry, but I think we should also include this explanation in the .gitignore like we do have for the other lines as well.
Comment #17
GrandmaGlassesRopeManI provided a slightly shorter description for
.gitignore
.Comment #18
lauriiiThis one looks good for me.
Comment #19
webchickOk, looks like this one is straight-forward and has approval from the right folks.
Committed and pushed to 8.4.x. Thanks!