Conversation
- clean up `lib` before rebuilding it - ensure the build process runs prepublish - ensure that backports aren't unintentionally published as "latest"
| # Only apps should have lockfiles | ||
| npm-shrinkwrap.json | ||
| package-lock.json | ||
| yarn.lock |
There was a problem hiding this comment.
It can be useful for a library to have a lockfile checked in (and not published) so that build and test dependencies are locked to known-good versions.
There was a problem hiding this comment.
I don’t agree; that allows the package to pass tests while consumers fail them. Dev-only lockfiles are only appropriate for apps, not for packages.
There was a problem hiding this comment.
I mainly mention because I feel like I've had build and test specific dev-dependencies (such as babel-plugin-add-module-exports today :P ) break much more often than regular dependencies. It's a very painful experience to clone an old repository to make a quick tweak and find it can't even build. I find it important to guarantee that a project is in a buildable (and hopefully even fully-reproducible) state as it was in the last commit. Finding out about breakages in non-dev-dependencies is important, but omitting a lockfile so the next repo-cloner runs into it isn't the specific way I like to go about it for my own projects. (Personally, I like using greenkeeper for that sort of thing.)
I'm happy with whichever way this project goes, just wanted to dump some of my experiences and reasoning here! The main meat of this PR seems really needed and I definitely wouldn't want to delay that.
There was a problem hiding this comment.
Indeed you should use something like greenkeeper to keep up with that, rather than letting a project bitrot until you try to maintain it later.
3 participants
This ensures that the build process isn't forgotten.
Additionally, it ensures that backports won't be mistakenly published as "latest", it cleans up the build output before recreating it, and it removes lockfiles, since this is a published package.