Aren't you mixing up two things here; committing to a source code repository, and publishing to a registry?
npm pack strips out package-lock.json for publishing. But I believe that even if there were package-lock.json files in dependencies, npm install ignores any but the top-level one, anyway. It wouldn't make sense conceptually to consider them, because if you successfully lock down your dependency versions from your root, you implicitly lock them for all dependencies further down the tree, as well.
On the other hand, nothing speaks against publishing package-lock.json with the source code. In fact, that's half of the reasons for its existence. Because it only has an effect if it's the top-level package, it will help library developers with its intended purpose, while not affecting library consumers.
Please correct me if I'm misunderstanding something here!
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Aren't you mixing up two things here; committing to a source code repository, and publishing to a registry?
npm pack
strips outpackage-lock.json
for publishing. But I believe that even if there werepackage-lock.json
files in dependencies,npm install
ignores any but the top-level one, anyway. It wouldn't make sense conceptually to consider them, because if you successfully lock down your dependency versions from your root, you implicitly lock them for all dependencies further down the tree, as well.On the other hand, nothing speaks against publishing
package-lock.json
with the source code. In fact, that's half of the reasons for its existence. Because it only has an effect if it's the top-level package, it will help library developers with its intended purpose, while not affecting library consumers.Please correct me if I'm misunderstanding something here!