Is it needed to have a lock file if I fix versions of all dependencies? - Javascript - PhpOut

hungdoansy
March 22, 2023
237 views
1 vote
2 Answers

I have a NodeJs/Typescript project and I fixed versions of all deps like this

{
  "dependencies": {
    "eslint": "8.30.0",
    "prettier": "2.8.1",
    "turbo": "1.6.3",
    "typescript": "4.9.4"
  }
}

Do I need yarn.lock or package-lock.json any more? I assume it will install the same version of deps everytime I run installation.

Thanks

Tags: javascript node.js package.json typescript

Answers

- AKX
- March 22, 2023 at 9:31 am
- 0 votes
0
Yes, because those packages may have specified their dependencies in a looser way; for instance, eslint 8.30.0’s package.json specifies all of the runtime dependencies with ^.

The lock file ensures that top-level dependencies and transitive dependencies are locked to specific versions.

Login or Signup to reply.

- Dimava
- March 23, 2023 at 2:44 pm
- 0 votes
0
Yes, you’d better to use it.

It awoids unwanted transitive dependencies updates. This is important, as they may, albeit rarely, get poisoned.

For example, our security flags es5-ext as protestware, so we have to force-limit its version in our apps

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.