Should I commit the yarn.lock file and what is it for?

yarnpkg

Yes, you should check it in, see Migrating from npm

Why is it for?
The npm client installs dependencies into the node_modules directory non-deterministically. This means that based on the order dependencies are installed, the structure of a node_modules directory could be different from one person to another. These differences can cause works on my machine bugs that take a long time to hunt down.

Yarn resolves these issues around versioning and non-determinism by using lock files and an install algorithm that is deterministic and reliable. These lock files lock the installed dependencies to a specific version and ensure that every install results in the exact same file structure in node_modules across all machines.


Depends on what your project is:

  1. Is your project an application? Then: Yes
  2. Is your project a library? If so: No

A more elaborate description of this can be found in this GitHub issue where one of the creators of Yarn eg. says:

The package.json describes the intended versions desired by the original author, while yarn.lock describes the last-known-good configuration for a given application.

Only the yarn.lock-file of the top level project will be used. So unless ones project will be used standalone and not be installed into another project, then there's no use in committing any yarn.lock-file – instead it will always be up to the package.json-file to convey what versions of dependencies the project expects then.


I see these are two separate questions in one. Let me answer both.

Should you commit the file into repo?

Yes. As mentioned in ckuijjer's answer it is recommended in Migration Guide to include this file into repo. Read on to understand why you need to do it.

What is yarn.lock?

It is a file that stores the exact dependency versions for your project together with checksums for each package. This is yarn's way to provide consistency for your dependencies.

To understand why this file is needed you first need to understand what was the problem behind original NPM's package.json. When you install the package, NPM will store the range of allowed revisions of a dependency instead of a specific revision (semver). NPM will try to fetch update the dependency latest version of dependency within the specified range (i.e. non-breaking patch updates). There are two problems with this approach.

  1. Dependency authors might release patch version updates while in fact introducing a breaking change that will affect your project.

  2. Two developers running npm install at different times may get the different set of dependencies. Which may cause a bug to be not reproducible on two exactly same environments. This will might cause build stability issues for CI servers for example.

Yarn on the other hand takes the route of maximum predictability. It creates yarn.lock file to save the exact dependency versions. Having that file in place yarn will use versions stored in yarn.lock instead of resolving versions from package.json. This strategy guarantees that none of the issues described above happen.

yarn.lock is similar to npm-shrinkwrap.json that can be created by npm shrinkwrap command. Check this answer explaining the differences between these two files.

Related

How to clear basic authentication details in chrome
What's a good way to extend Error in JavaScript?
Error renaming a column in MySQL
What's the best way to send a signal to all members of a process group?
Is it possible to declare a variable in Gradle usable in Java?
Java string split with "." (dot) [duplicate]
How to bind RadioButtons to an enum?
How to log SQL statements in Spring Boot?
How to create a directory in Java?
How does String substring work in Swift
Setting an environment variable before a command in Bash is not working for the second command in a pipe
How to see an HTML page on Github as a normal rendered HTML page to see preview in browser, without downloading?