In this video you will learn about how to work correctly with all dependencies in your project, lock files, package-lock, yarn.lock and what is it all about. Also I will share some important knowledge about working with lock files so make sure that you want this video until the end. Let's jump right into it.
So what problem do we have? Normally when we develop we want to install some libraries. And I'm not even talking specifically about frontend now. It can be frontend, backend, mobile development. Everywhere is a same problem. We install 1-3-5 libraries and it just works. Then other developer installs this libraries on his machine in a month and everything stops working. Or even better - your production server made a new build and everything is broken.
What the problem? Some library was just updated. Let's say you installed a library 1.0 and after a month somebody installed 1.1 where they broke a method or API and now nothing is working. So it may sound really pessimistic but if some of you libraries in project were updated then you project is probably already broken.
Okay I think it's scary enough now.
So here is an empty folder and I will just generate new package.json file with
Now let's say we are doing NodeJS application and we want to install express package for this.
npm install express
Now in package.json we have a specific version of installed package. And here you have a caret symbol. This is a special notation that says that minor and patch versions can be updated. This means second and third numbers. At this moment most people think that if they will just remove caret symbol from here the version of package will be locked forever and we can simply always write
This is actually partially true. This line really promises that we will install express with this specific version. But things are actually more complicated. Because every package has it's own dependencies. If we open now node_modules folder we don't see just single folder with express package but thousands of libraries. This is because express has it's own dependencies. So while they developer express that install like 10 or 20 additional dependencies. And they the authors of that libraries also installed some dependencies. So to use just a single library normally you install the whole tree of libraries starting with the library that you actually want to install.
This brings us to the next point. It's not enough to just lock express because sure express package will be locked but you don't know how authors of express configured their dependencies and if that can be updated or not or authors of the dependencies or the dependencies. You get the point.
So the solution to this is somehow to lock the whole tree of all dependencies that you have. And this is exactly where lock files some into play. In every language you have the same solution with lock file which keeps track on all your dependencies and it's an only way to be sure that exactly this packages that are working now on your machine will be installed by next developer or on your production server.
So every time when you install or update package with node you are getting this package-lock file. If you are working with yarn your yarn.lock file will be updated. As you can see we installed express with node and this is why we get here package-lock file.
Let's open it. As you can see this is tree representation of our dependencies. Here we can find express and see all it dependencies. But actually it's even more complex because it can happen that 2 different libraries have the same library as a dependency and depends on the version it may or may not be installed twice, as well as be a conflict between to different libraries.
This is basically why node_modules folder is so big and our applications in any language have so many dependencies. You can never be sure that your other library can work with the latest version of the same dependency that you are already using.
Also as you can imagine npm and yarn should be wise enough to resolve conflicts when you are trying to merge 2 lock files or update the dependencies every time correctly.
And here is the most important point that you need to remember. First of all you must always commit lock file in git. Because if you don't commit then next developer will install your dependencies not from lock file but from package.json which will lead to installing latest dependencies which are available and not the locked versions that we wanted.
Secondly you should never ever delete lock file. Even if you have conflict there that you can't resolve automatically. Removing the lock file brings your application in super dangerous state. Because next time when all packages will be installed it will be for sure broken somewhere on production without noticing the problem.
And if you think that I'm a little bit pessimistic about this stuff during the last 10 years I saw hundreds of times when production was broken because of the updating of some package even if it was patch or minor version so you should never believe that installing patch or minor won't break your code. An update is an update and anything can be broken.
Call to action
So always use lockfiles, always commit them, don't believe the creators of libraries and you will have less overtimes.
Also I have a lot of full courses regarding different web technologies. So don't forget to check them out. I will link them down in the description box below.
If you find this video helpful, don't forget to subscribe to this channel and hit subscribe button. Thanks for watching and I see you in my next video.