Doesn't node have lockfiles? Cloning a project and running npm install would ins... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		woojoo666 on April 1, 2022 \| parent \| context \| favorite \| on: How Go mitigates supply chain attacks Doesn't node have lockfiles? Cloning a project and running npm install would install the exact dependencies declared in the lockfile right? To quote the docs[1]: > The goal of package-lock.json file is to keep track of the exact version of every package that is installed so that a product is 100% reproducible in the same way even if packages are updated by their maintainers. [1]: https://nodejs.dev/learn/the-package-lock-json-file

riking on April 1, 2022 [–]

Nope, you need to run `npm ci` to guarantee that you don't write a new lockfile.

hashhar on April 1, 2022 | [–]

Also the lockfiles are not recursive. i.e. they don't apply to the dependencies you install or their transitive deps.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact