Pin Down NPM Package Versions with Yarn.lock

Mark Shust
InstructorMark Shust

Share this video with your friends

Send Tweet
Published 5 years ago
Updated 3 years ago

npm shrinkwrap > npm install > npm shrinkwrap is not guaranteed to produce the same output as just shrinkwrapping once, whereas Yarn explicitly uses "an install algorithm that is deterministic and reliable". We’ll learn how to generate a yarn.lock file and commit it to version control to ensure a deterministic and reliable module install process.

By default, NPM is not 100 percent deterministic. Even if you use NPM shrinkwrap, you cannot guarantee that what you NPM install on one computer will NPM install exactly the same on another computer. You can fix this by using Yarn.

Yarn was built to be deterministic, reliable, and fast. New projects can get started very easily by typing "yarn add" followed by the package you want to install. You can also specify an exact version to install, or use a range or version constraint if you prefer a different install criteria.

After installing the first package, yarn will create a yarn.lock file. We can check the exact pin-down version of this package by searching for our installed package in this file. Yarn also does file checks on matches to ensure exact one-to-one downloaded results.

Regarding version control, be sure to add both the package.json file and the yarn.lock file to your repository. You'll also want to ignore the node modules directory, as these assets are compiled when the yarn command is ran later at bill time, or post deploy.

Dusty Doris
Dusty Doris
~ 4 years ago

Could you expand on this a little bit, specifically in regards to npm5 with the package-lock.json file?

Taken from yarn's website

"npm 5 has stronger guarantees across versions and has a stronger deterministic lockfile, but Yarn only has those guarantees when you’re on the same version in favor of a lighter lockfile that is better for review."

Mark Shust
Mark Shustinstructor
~ 4 years ago

I believe what they are saying is that npm 5 has a higher compatibility of determinism across different versions of npm, while on yarn you only have those determinisms if everyone is using the same version of yarn. Luckily with Docker, you can (and should) pin down specific versions of software, such as yarn, to ensure everyone is running the exact same version.

Dusty Doris
Dusty Doris
~ 4 years ago

Ahh makes sense. Thanks!

Michael
Michael
~ 4 years ago

There are more dependencies:

  • yarn
  • Node.js
  • npm
  • Docker

How to ensure that all developers use the same version of these dependencies? Or to put it another way: How to ensure that yarn, Node.js and npm are the same version on the host (machine of developer) as on Docker? Do you even run them on the host during development? If not, how do you update package.json? Normally I would run yarn add <package-name> on the host.