alexi_taylor
Back to blog
2 min read
Should I commit my package-lock.json or yarn.lock?

Short Answer:

ALWAYS COMMIT YOUR PACKAGE-LOCK.JSON AND YARN.LOCK FILES (and please don’t add it to your .gitignore).

Longer Short Answer:

What is a lock file?

An autogenerated file that has the entries of the exact versions of the dependencies used in the project.

Why should you always commit your package-lock.json and yarn.lock files?

Committing your package-lock.json (for npm) or yarn.lock (for Yarn) files ensures that everyone working on your project installs the exact same versions of dependencies and sub-dependencies. The lock files capture the precise version numbers of all packages installed, providing a snapshot of your project’s dependency tree at a given time.

By including them in your version control, it allows for:

  • Consistency Across Environments: It guarantees that all developers and CI/CD pipelines use the same package versions, preventing the classic “it works on my machine” problem.
  • Reproducible Builds: It allows for reliable builds by ensuring that the same dependencies are installed every time, which is crucial for testing and production environments.
  • Avoiding Unintended Breakages: By locking dependencies, you minimize the risk of introducing bugs due to updates in third-party packages that might include breaking changes.
  • Security: Helps in tracking and auditing the specific versions of packages for known vulnerabilities.

Committing your lock files maintains the integrity and predictability of your project, making development smoother and deployments safer.