Committing lock files to repo

When using package manager like yarn or npm it will create a lock file such as yarn.lock, package-lock.json & Gopkg.lock

These lock files need to be committed to the repo to ensure that every install results in the same file structure in node_modules across all machines (including CI server caching).

Yarn

  1. Add yarn.lock to the repository and commit it
  2. Use yarn install --frozen-lockfile and NOT yarn install as a default both locally and on CI build servers.

NPM

  1. commit the package-lock.json.
  2. use npm ci instead of npm install when building your applications both on your CI and your local development machine

Reference

https://stackoverflow.com/questions/39990017/should-i-commit-the-yarn-lock-file-and-what-is-it-for

https://stackoverflow.com/questions/44206782/do-i-commit-the-package-lock-json-file-created-by-npm-5/56254478#56254478

https://stackoverflow.com/questions/52630404/how-to-install-packages-based-on-the-lock-file-with-yarn