Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should I need to put yarn.lock in .gitignore? #1583

Closed
psaung opened this issue Nov 1, 2016 · 13 comments
Closed

Should I need to put yarn.lock in .gitignore? #1583

psaung opened this issue Nov 1, 2016 · 13 comments

Comments

@psaung
Copy link

psaung commented Nov 1, 2016

No description provided.

@goenning
Copy link

goenning commented Nov 1, 2016

You should add yarn.lock to your git, don't ignore it.

See https://yarnpkg.com/en/docs/migrating-from-npm

When you run either yarn or yarn add <package>, Yarn will generate a yarn.lock file within the root directory of your package. You don’t need to read or understand this file - just check it into source control. When other people start using Yarn instead of npm, the yarn.lock file will ensure that they get precisely the same dependencies as you have.

@sebmck sebmck closed this as completed Nov 1, 2016
@sebmck sebmck added the question label Nov 1, 2016
@donaldpipowitch
Copy link
Contributor

Just to be clear - this also applies to libraries as well and not just applications, because opposite to npm-shrinkwrap.json only the yarn.lock of the top level project will be used, right? So dependencies of dependencies with yarn.lock files will not generate unnecessary duplicates. It is useful for libraries, if you have complex dev dependencies and you want every contributor of your library to have the same build and test configurations.

Is this correct?

@jeznag jeznag mentioned this issue Nov 28, 2016
Closed
@katallaxie katallaxie mentioned this issue Nov 30, 2016
Closed
@ifunk ifunk mentioned this issue Jan 20, 2017
Open
@Pfeifenjoy Pfeifenjoy mentioned this issue Feb 13, 2017
Merged
49 tasks
@Pfeifenjoy
Copy link

@goenning
Maybe it is not always the best idea to put the yarn.lock file in your repository.
E.g. I am using sinopia. Therefore I have a custom npm registry. I use this registry mainly for other projects where I have private modules.
But when I push a public project to a git repository, which only has public dependencies, the yarn.lock has the wrong links to the dependencies and my CI system will fail to build the project.
The dependencies point to my local repository.
This can also happen to other developers if they clone my repository.
Is there any way to get around this except of putting the yarn.lock file into the gitignore?

@nchanged nchanged mentioned this issue Feb 14, 2017
Closed
@rutsky rutsky mentioned this issue Mar 17, 2017
Merged
@arnaudjuracek arnaudjuracek mentioned this issue Mar 28, 2017
Closed
@russitto russitto mentioned this issue Mar 29, 2017
Closed
@lazarljubenovic lazarljubenovic mentioned this issue Apr 3, 2017
Closed
5 tasks
petterh pushed a commit to petterh/react-native-android-activity that referenced this issue Apr 11, 2017
Check yarn.lock into git: yarnpkg/yarn#1583
34782a1
petterh added a commit to petterh/react-native-android-activity that referenced this issue Apr 11, 2017
@petterh
Create README, check in yarn.lock, rename RN component (#1)
99ef780 
* Create README.md

* Check yarn.lock into git: yarnpkg/yarn#1583

* Rename React Native component
@DovydasNavickas
Copy link

Also, if you have preauthenticated npm registry, e.g. myget which proxies to npm, yarn.lock will have preauthenticated links to packages, which is a major security breach 🎉
This should be documented somewhere with a big font.

petterh added a commit to petterh/react-native-android-activity that referenced this issue Apr 28, 2017
@petterh
Added custom native module and sample native activity (#2)
bfc0602 
* Create README.md
* Check yarn.lock into git: yarnpkg/yarn#1583
* Rename React Native component
* Added custom native module and sample native activity
* Updated README.md; added clipboard support; improved layout.
* Removed some unused files
@saeidalidadi saeidalidadi mentioned this issue May 4, 2017
Closed
@theinterned theinterned mentioned this issue May 9, 2017
Closed
@sc0rp10 sc0rp10 mentioned this issue May 18, 2017
Merged
@lazarljubenovic lazarljubenovic mentioned this issue Jun 3, 2017
Merged
@andrewda andrewda mentioned this issue Jul 19, 2017
Merged
assafmo added a commit to daostack/arc that referenced this issue Aug 22, 2017
@assafmo
yarn.lock should be in git (yarnpkg/yarn#1583 (comment))
3dfbe7d
@assafmo assafmo mentioned this issue Aug 22, 2017
Merged
@rifatdover rifatdover mentioned this issue Aug 30, 2017
Closed
@beenotung
Copy link

beenotung commented Oct 10, 2017
edited

@Pfeifenjoy what if you link to private packages using git submodule instead of npm?
using git, you can access the repo using deploy key (via ssh)

@Pfeifenjoy
Copy link

@beenotung I am not a big fan of using git as a dependency manager, because it is very slow, does not resolve dependencies the way I want them to be resolved and in my opinion it is best to have every dependency in one manager.

Also the dependency I am referencing will all (not only my own projects) get a different address, because they are saved in my local sinopia account. It would be very tedious to reference all node modules which my projects depends on in git.
Furthermore it is just easier to remove the yarn.lock file.

@thisolivier
Copy link

@Pfeifenjoy Is there possibly a conflict in what you want yarn to do? If you want to provide a way to make sure other installations have your dependencies, include it- it's performing as intended. If you're pulling in private repos and sources, you ought to be very cautious about how you share your code per-say, in the same way that you specifically would ignore any keys or salts from a repo (if you want to see a warning on the project readme, I'd make a feature/pull request).

Possibly yarn should give a warning when run alerting a user that access to an authenticated source has been included in the lock file, but again, that would be a feature request.

@Pfeifenjoy
Copy link

@thisolivier sounds reasonable

@bennyschmidt
Copy link

I disagree with the most upvoted comment here:

• if the project uses npm, commit package-lock.json to the repo and gitignore yarn.lock
• if the project uses yarn, commit yarn.lock to the repo and gitignore package-lock.json

That is, you should not always commit yarn.lock to the repo, and to answer OP's question, yes you might want to add it to .gitignore.

When other people start using Yarn instead of npm, the yarn.lock file will ensure that they get precisely the same dependencies as you have

First off, no it won't - only if you're only ever using the public npm registry. Worse if you're not authed to your private org in yarn, (even if you still are in npm), and a package of the same name exists in the public registry, it'll just install the wrong one with no prompt. It would be confusing why your yarn is installing with no errors, yet the app doesn't work when using yarn yet it does when using npm.

Secondly, many codebases don't use yarn. It's not a matter of "when they switch over to yarn". Almost all my node services & basic web servers use npm with no plans to move to yarn. I do like yarn with React, that's about it.

As @Pfeifenjoy mentioned above:

I have a custom npm registry. I use this registry mainly for other projects where I have private modules

But when I push a public project to a git repository, which only has public dependencies, the yarn.lock has the wrong links to the dependencies and my CI system will fail to build the project.

^ Another thing, even when you solve it locally, you have to incorporate the solution into the yaml or whatever config for CI & anywhere else you spin up the app - some kind of logic that can tell when to use which registry and which command - sounds annoying and unnecessary

Another thing - if you encourage everyone to always commit yarn.lock to the repo and never ignore it, developers will start using yarn in a repo that already heavily relies on npm. Even in the cases where it works fine there will be redundancies in the 2 lock files, and it will open a door to dependency hell. And you know some developer will commit a ~25k line yarn.lock at some point messing up your contributions graph 😂

thecodingwizard referenced this issue in cpinitiative/usaco-guide Sep 7, 2020
Remove autogenerated build file
061f46c
thecodingwizard referenced this issue in cpinitiative/usaco-guide Sep 7, 2020
Update .gitignore
b57bc0a
@thibauult thibauult mentioned this issue Oct 5, 2020
Merged
3 tasks
@Alxzu Alxzu mentioned this issue Oct 6, 2020
Merged
@GunaShekar02 GunaShekar02 mentioned this issue Feb 4, 2021
Merged
brian-pond pushed a commit to brian-pond/frappe that referenced this issue Mar 26, 2021
Update .gitignore, add yarn.lock
1fdc138 
Suggest adding `yarn.lock` to the .gitignore file.
See discussion here for more details:  yarnpkg/yarn#1583
@brian-pond brian-pond mentioned this issue Mar 26, 2021
Closed
@dsankouski dsankouski mentioned this issue Jul 24, 2021
Closed
gottschali added a commit to gottschali/HiveMind that referenced this issue Aug 16, 2021
@gottschali
Trash lockfile for consistent versions
879f38b 
yarnpkg/yarn#1583
JayKim88 added a commit to JayKim88/dev-contents-TIL that referenced this issue Oct 17, 2021
@JayKim88
Update gitignore not to ignore yarn.lock file
5de04bc 
Reason to manage yarn.lock file in git: yarnpkg/yarn#1583
@mptr mptr mentioned this issue Nov 18, 2021
Merged
@wurstbroteater wurstbroteater mentioned this issue Nov 20, 2021
Merged
@0xekez 0xekez mentioned this issue Jan 21, 2022
Merged
@tddough98 tddough98 mentioned this issue Feb 4, 2022
Merged
@AnshulNautiyal
Copy link

Hey Folks,
I created a FE project and install and add DEPENDENCY in package/yarn json files...It will generate yarn/package lock file automatically.
In the first commit, i committed the lock file with it so that other developers while installing dependency will have same order/version that i have installed in my system. No issues for module difference.
But when other devs install the dependency from package/yarn json files, It also generates yarn/package-lock file automatically.

yarn/package lock files should only be committed

  1. when u add new dependency to package/yarn json so that all dev have same versions installed (make sense)
  2. if developer is just installing dependency from package/yarn json files) (No new dependency )
  3. both 1 & 2

@TheNoim TheNoim mentioned this issue Jun 30, 2022
Merged
@vgihan vgihan mentioned this issue Jul 27, 2022
Closed
@AlipourIm AlipourIm mentioned this issue Aug 3, 2022
Merged
@polymorpher polymorpher mentioned this issue Aug 7, 2022
Merged
57 tasks
@hashibadaiki hashibadaiki mentioned this issue Jan 20, 2023
Merged
@stellaw1 stellaw1 mentioned this issue Feb 12, 2023
Merged
@mudulo mudulo mentioned this issue Apr 13, 2023
Merged
This was referenced Jun 25, 2023
Closed
Merged
@chadcrume chadcrume mentioned this issue Jul 4, 2023
Merged
@kostasrim kostasrim mentioned this issue Oct 19, 2023
Merged
@mwilsonoliveira mwilsonoliveira mentioned this issue Oct 24, 2023
Merged
@zly2006 zly2006 mentioned this issue Mar 23, 2024
Merged
@jihoon-seo jihoon-seo mentioned this issue Apr 16, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests