https://pulumi.com logo
#general
Title
# general
o

orange-tailor-85423

10/29/2018, 8:25 PM
sorry for the ignorance..... coworker pulled down code repo .... identical to mine. However, his "npm install" set up newer versions of modules. Didn't seem to respect the package-lock.json file in the repo. Is there good guidance around the workflow for checking code in/out and package versions with Pulumi?
w

white-balloon-205

10/29/2018, 8:30 PM
You can check in your
package-lock.json
to ensure others pick up the exact same versions. This is generally a good idea for any shared codebase.
o

orange-tailor-85423

10/29/2018, 8:31 PM
ok - see below comment though. It's not being respected
(new to Node) - but exact experience my co-worker had right next to me. Cloned repo, npm install - package-lock.json got updated
ok - maybe not ignored ..... looks like it says a certain version or higher. So this makes sense now. Co-worker is installing fresh and it upgrades his packages
breaking changes for gke/gcp provider
c

creamy-potato-29402

10/29/2018, 8:52 PM
@orange-tailor-85423 this is a good question, and a confusing one.
Basically, you want to check in your
package-lock.json
The reason is that when you run
npm install
it will try to find versions of the dependencies that satisfy the constraints specified in
package.json
If you always want
npm install
to choose the same versions of these dependencies, even on different machiines, and even if a new version has been released,
package-lock.json
is important to have because it does what it says and locks the packages to specific versions. Make sense?
q

quaint-queen-37896

10/29/2018, 9:59 PM
package-lock doesn't do what you think it does
you need to
npm ci
to actually pull the same package-lock bits
If dependencies in the package lock do not match those in package.json, npm ci will exit with an error, instead of updating the package lock.
because
npm install --save
uses the "latest patch" syntax, it's highly likely that two installs can pull down different versions.