I'm maintaining PHP packages and we have the same debate about composer.lock in libraries.
I'm lucky to live in the same city as one of the two authors of composer (npm's counterpart in php world) so once I could have a personal discussion about the topic with him.
He also suggested to commit the lock file with the package (which I don't do either) but he also suggested to do this in the CI pipeline:
test the package with the deps as in the lockfile
downgrade direct deps to the lowest version allowed by .json file and test against that
upgrade the direct deps to the highest version allowed by .json file and test against that as well
Here I can see the benefit of the lockfile, albeit I haven't started doing it yet
Dependency lock files are for fast tracking your dependencies via a file cache, so it doesn't have to look through npm again to find them again, you are meant to commit it yes and i don''t think there is a case for not commiting it?
It also works the same on composer.
Why ignore his advise about that from the author? your PI pipeline versions will eventually mess up because you don't commit it...
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I'm maintaining PHP packages and we have the same debate about composer.lock in libraries.
I'm lucky to live in the same city as one of the two authors of composer (npm's counterpart in php world) so once I could have a personal discussion about the topic with him.
He also suggested to commit the lock file with the package (which I don't do either) but he also suggested to do this in the CI pipeline:
Here I can see the benefit of the lockfile, albeit I haven't started doing it yet
Dependency lock files are for fast tracking your dependencies via a file cache, so it doesn't have to look through npm again to find them again, you are meant to commit it yes and i don''t think there is a case for not commiting it?
It also works the same on composer.
Why ignore his advise about that from the author? your PI pipeline versions will eventually mess up because you don't commit it...