The question is simple: should I include package-lock.json in source control? In other words, should it be part of your git source code, or not?
If you are just looking for an answer, then that answer is yes. However, we also want to give you an explanation.
The package-lock.json file should always be part of your source control. Never put it into .gitignore.
Why include package-lock.json in source control?
We already covered in detail the package-lock.json file in this post. In short, it is a JSON file that lists the full dependency tree of your JavaScript application. In other words, if you are using external packages and libraries, you can find them listed in this file. What is most interesting, however, is that you can also see the dependencies of such packages. The process is repeated until you only have to require packages with no other dependency.
The package-lock.json does not simply list the tree of packages. It also indicates the specific version of each. It is a complete snapshot of the dependencies of your application, right now.
If the application is working, you know that this configuration of dependencies is working. Say that, later, some third-party updates its own packages and your application breaks, you can trace back the issue. If you don’t include package-lock.json file into source control, you’ll have no idea which module broke the whole thing.
Many developers just include the package.json file (without lock) in their source control. That file must be included, but it shouldn’t be the only one. In fact, the package.json file only tracks direct dependencies. If a dependency of a dependency changes, you can only see that in your package-lock.json. That’s why you need to track both files.
To recap, you should always include both package.json and package-lock.json in your source control. Thus, never put them in the .gitignore file. In this way you can keep track of the configuration of dependencies of your application. Ultimately, this maximizes portability and predictability.
