skip to Main Content

I have a NodeJs/Typescript project and I fixed versions of all deps like this

{
  "dependencies": {
    "eslint": "8.30.0",
    "prettier": "2.8.1",
    "turbo": "1.6.3",
    "typescript": "4.9.4"
  }
}

Do I need yarn.lock or package-lock.json any more? I assume it will install the same version of deps everytime I run installation.

Thanks

2

Answers


  1. Yes, because those packages may have specified their dependencies in a looser way; for instance, eslint 8.30.0’s package.json specifies all of the runtime dependencies with ^.

    The lock file ensures that top-level dependencies and transitive dependencies are locked to specific versions.

    Login or Signup to reply.
  2. Yes, you’d better to use it.

    It awoids unwanted transitive dependencies updates. This is important, as they may, albeit rarely, get poisoned.

    For example, our security flags es5-ext as protestware, so we have to force-limit its version in our apps

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search