No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

You can check in your `package-lock.json` to ensure others pick up the exact same versions. This is generally a good idea for any shared codebase.

ok - see below comment though.  It's not being respected

(new to Node) - but exact experience my co-worker had right next to me.  Cloned repo, npm install - package-lock.json got updated

ok - maybe not ignored ..... looks like it says a certain version or higher.  So this makes sense now.  Co-worker is installing fresh and it upgrades his packages

<@UD4701708> this is a good question, and a confusing one.

Basically, you want to check in your `package-lock.json`

The reason is that when you run `npm install` it will try to find versions of the dependencies that satisfy the constraints specified in `package.json`

If you always want `npm install` to choose _the same_ versions of these dependencies, even on different machiines, and even if a new version has been released, `package-lock.json` is important to have because it does what it says and locks the packages to specific versions. Make sense?

package-lock doesn't do what you think it does

you need to `npm ci` to actually pull the same package-lock bits

&gt;If dependencies in the package lock do not match those in package.json, npm ci will exit with an error, instead of updating the package lock.

because `npm install --save` uses the "latest patch" syntax, it's highly likely that two installs can pull down different versions.