I have a NodeJs/Typescript project and I fixed versions of all deps like this
{
"dependencies": {
"eslint": "8.30.0",
"prettier": "2.8.1",
"turbo": "1.6.3",
"typescript": "4.9.4"
}
}
Do I need yarn.lock or package-lock.json any more? I assume it will install the same version of deps everytime I run installation.
Thanks
2
Answers
Yes, because those packages may have specified their dependencies in a looser way; for instance, eslint 8.30.0’s
package.json
specifies all of the runtime dependencies with^
.The lock file ensures that top-level dependencies and transitive dependencies are locked to specific versions.
Yes, you’d better to use it.
It awoids unwanted transitive dependencies updates. This is important, as they may, albeit rarely, get poisoned.
For example, our security flags
es5-ext
as protestware, so we have to force-limit its version in our apps