Pin Down NPM Package Versions with Yarn.lock

Share this video with your friends

Send Tweet

npm shrinkwrap > npm install > npm shrinkwrap is not guaranteed to produce the same output as just shrinkwrapping once, whereas Yarn explicitly uses "an install algorithm that is deterministic and reliable". We’ll learn how to generate a yarn.lock file and commit it to version control to ensure a deterministic and reliable module install process.

Dusty Doris
Dusty Doris
~ 7 years ago

Could you expand on this a little bit, specifically in regards to npm5 with the package-lock.json file?

Taken from yarn's website

"npm 5 has stronger guarantees across versions and has a stronger deterministic lockfile, but Yarn only has those guarantees when you’re on the same version in favor of a lighter lockfile that is better for review."

Mark Shust
Mark Shust(instructor)
~ 7 years ago

I believe what they are saying is that npm 5 has a higher compatibility of determinism across different versions of npm, while on yarn you only have those determinisms if everyone is using the same version of yarn. Luckily with Docker, you can (and should) pin down specific versions of software, such as yarn, to ensure everyone is running the exact same version.

Dusty Doris
Dusty Doris
~ 7 years ago

Ahh makes sense. Thanks!

Michael
Michael
~ 7 years ago

There are more dependencies:

  • yarn
  • Node.js
  • npm
  • Docker

How to ensure that all developers use the same version of these dependencies? Or to put it another way: How to ensure that yarn, Node.js and npm are the same version on the host (machine of developer) as on Docker? Do you even run them on the host during development? If not, how do you update package.json? Normally I would run yarn add <package-name> on the host.