add package-lock=true to .npmrc

[mcollina]

As titled. A user can override this with their global .npmrc setting.

Note that the project does not build if the deps are not installed from the lockfile.

[Copilot]

Copilot wasn't able to review any files in this pull request.

Files not reviewed (1)

• .npmrc: Language not supported

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated (UTC)
nodejs-org	✅ Ready (Inspect)	Visit Preview	Apr 23, 2025 5:06pm

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 74.61%. Comparing base (139b316) to head (e16aaa9).
Report is 2 commits behind head on main.

✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7676      +/-   ##
==========================================
- Coverage   74.63%   74.61%   -0.03%     
==========================================
  Files          96       96              
  Lines        7689     7689              
  Branches      192      192              
==========================================
- Hits         5739     5737       -2     
- Misses       1948     1950       +2     
  Partials        2        2              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[avivkeller]

Can you elaborate why this is needed?

What are the consequences of not doing this?

[MattIPv4]

Per the docs, https://docs.npmjs.com/cli/v11/using-npm/config#package-lock, this is set to true by default -- why do we need to explicitly set it?

[mcollina]

Because quite a few high-profile maintainers (including me) set this to false by default as it's way too much work to keep this up-to-date over 500+ projects. Also, it doesn't hurt to add it.

Note it would not be needed if the project could build without that file - currently it doesn't . My guess is some dependencies are not really following semver.

[avivkeller]

Note it would not be needed if the project could build without that file - currently it doesn't . My guess is some dependencies are not really following semver.

We should look into that

[MattIPv4]

Ah, I see, makes sense to me to set it then 👍 Would it be worth adding a comment above the line explaining why we're setting what is a default?

[avivkeller]

Note it would not be needed if the project could build without that file - currently it doesn't . My guess is some dependencies are not really following semver.

I am able to build with a deleted package-lock.json file, can you show the error you face when trying to build without the file? It would certainly help with reproducing and resolving the error.

git clean -dfX # Remove all non-tracked files
rm package-lock.json
npm i
npm build

[bjohansebas]

Note it would not be needed if the project could build without that file - currently it doesn't . My guess is some dependencies are not really following semver.

It's a precaution to avoid breaking production and to ensure everyone has the same development environment. It's a good practice, and that's why deleting the package-lock isn't an option I see as viable

[bjohansebas]

As I mentioned in my previous comment, it's a way to prevent breaking production and to ensure we all share the same development environment. So a comment like that can be useful, and it’s worth mentioning that some developers disabled it for a specific reason.

[avivkeller]

Closing due to #7662

[mcollina]

pnpm suffers from the same issue, and it's 100% irrelevant to why this is needed.

[MattIPv4]

Given we no longer have an npmrc file at all, could you not just have your own locally and add it to your local gitignore, if this is something your setup needs still?