I’ve used npm 5 package lock feature for some time. But it doesn’t do what it’s supposed to do as in the name package-LOCK.json implies. I immediately switched to yarn as I’ve been using it for a very long time.
To realise how npm’s locking feature is broken (they say it’s an intended feature), setup a project with some dependencies and commit the lock file. Wait for a week or two (for new version releases) and remove the
node_modules/ folder. If you do
npm install, you would see that
package-lock.json is modified as per
I strongly recommend anyone to go through the above two links before choosing npm 5 lock feature for dependency version locking.