Pin Down NPM Package Versions with Yarn.lock
npm shrinkwrap > npm install > npm shrinkwrap is not guaranteed to produce the same output as just shrinkwrapping once, whereas Yarn explicitly uses "an install algorithm that is deterministic and reliable". We’ll learn how to generate a yarn.lock file and commit it to version control to ensure a deterministic and reliable module install process.
Could you expand on this a little bit, specifically in regards to npm5 with the package-lock.json file?
Taken from yarn's website
"npm 5 has stronger guarantees across versions and has a stronger deterministic lockfile, but Yarn only has those guarantees when you’re on the same version in favor of a lighter lockfile that is better for review."
I believe what they are saying is that npm 5 has a higher compatibility of determinism across different versions of npm, while on yarn you only have those determinisms if everyone is using the same version of yarn. Luckily with Docker, you can (and should) pin down specific versions of software, such as yarn, to ensure everyone is running the exact same version.
Ahh makes sense. Thanks!
There are more dependencies:
- yarn
- Node.js
- npm
- Docker
How to ensure that all developers use the same version of these dependencies? Or to put it another way: How to ensure that yarn, Node.js and npm are the same version on the host (machine of developer) as on Docker? Do you even run them on the host during development? If not, how do you update package.json? Normally I would run yarn add <package-name> on the host.