I just cloned the node-red repo locally and noticed after running npm install that the package-lock.json has not been committed to master. It's considered a good practice to do this. Assuming you all have not previously decided NOT to add this file for a compelling reason, I am happy to submit a PR that adds this file.
Thanks!
Brandon
Hi - one of the reasons we've avoided adding it in is because we have some dependencies where we want npm to pick the latest available version of the extra node-red nodes the core pulls in: https://github.com/node-red/node-red/blob/e03a0fffa9ea2b195d5acda5a8e918b148bce1b7/package.json#L63-L66
I believe if we introduce package-lock.json we'll lose that ability as it'll install the specific version in the lock file and not the latest that matches the semver in package.json - happy to be corrected if I'm wrong on it.
With the dev branch for 0.20, things get a more complicated as we now have 5 modules under the one repo - and the development process never runs npm install under each of those modules, so we don't get a package-lock file generated for them.
So it's something to look at, but not necessarily as simple as just checking one in.
Copyright OpenJS Foundation and Node-RED contributors. All rights reserved. The OpenJS Foundation has registered trademarks and uses trademarks. For a list of trademarks of the OpenJS Foundation, please see our Trademark Policy and Trademark List. Trademarks and logos not indicated on the list of OpenJS Foundation trademarks are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
The OpenJS Foundation | Terms of Use | Privacy Policy | OpenJS Foundation Bylaws | Trademark Policy | Trademark List | Cookie Policy