Why do we need lock files?
We all see files like yarn.lock or package-lock.json in our projects and sometimes we see both which shouldn’t happen.
Often I come across the following questions from a lot of developers.
- Why do we need a lock file?
- Why do we need to commit it to the repo?
- Why do we need to keep updating it?
This article is to answer all the questions above.
Why do we need lock files?
Firstly lock files are nothing new and have been used for a while in various frameworks, like Gemfile.lock in Ruby, and Gradle has its own lock file.
Lock files as the name says are to lock the version of the dependencies so that when the dependencies are installed on the production servers, it doesn’t result in any surprises as the versions will be picked from the lock file which has been tested already on local and stage servers.
So, why will the dependencies be different if there is no lock file?
package.json lists down the dependencies which is required to be installed on the production servers. However, most of the dependencies are prepended with either a ~ or a ^ symbol.
To understand why, we have to understand the semantic versioning used for npm modules. It consists of 3 parameters i.e., major, minor, and patch versions as shown below.
The above entry will install the latest minor version whenever installed. Similarly, a version with ~ will install the latest patch version. These features are given so that the developer does not need to upgrade the version manually every time.
Why do we need to commit the lock file
Well, from the above sections we’ve understood that most of the dependencies version is prepended by either ~ or ^.
Now, let's understand why committing the lock file is important. Below is a sample entry in the lock file. It has 2 versions mentioned.
- Specified version: The version which is specified against the package name in the package.json file
- Installed version: The version installed in the absence of the lock file.
As you see above, although the version mentioned in package.json is 16.6.3, there is a caret symbol that installs the latest minor version available at that time in the absence of the lock file.
If we don’t commit the lock file, it’ll install a new version on the production which is not tested and there are chances that it could break our production build or bring some untested code directly to the production. Even while installing packages, we are shown the info ‘No lockfile found’ if the lock is not committed.
So, it’s very important to commit the lock files to the repo
Why do we need to keep updating it?
You can count on the following reasons
1. Enjoy the latest features and fixes.
2. Timely updates can help you avoid security vulnerabilities because of the dependencies.
3. Adding a new package can be an issue as the new package might add dependencies with the latest versions and it might be incompatible with the existing packages resulting in a big tech debt.
Managing the lock file
There are many ways we can maintain dependencies and lock files like interactive upgrades, essential upgrades, and audits. I’ll put up all these and many more in my next article.
References
