Stop using package-lock.json or yarn.lock

I maintain over 200 repositories on GitHub and one of the most common PRs that I receive is someone adding package-lock.json or yarn.lock. These PRs are closed without merging because dependency lock files are not designed to be used by packages that are themselves dependencies of other packages.

What’s going wrong?

Official NPM documentation encourages to commit package-lock.json files to the source code version control:

Responding to criticism

Some comments suggested that the biggest advantage of package-lock.json is that it allows to replicate development environment.

Software architect, startup adviser. Editor of https://medium.com/applaudience. Founder of https://go2cinema.com.

Software architect, startup adviser. Editor of https://medium.com/applaudience. Founder of https://go2cinema.com.