通常总是提交依赖项锁定文件

>被发现其他位置的依赖项锁定文件，许多软件包管理系统都支持(例如: composer 和

Always commit dependency lock files in general

As is covered elsewhere, dependency lock files, which are supported by many package management systems (e.g.: composer and bundler), should be committed to the codebase in end-of-chain projects - so that each individual trying to run that project is doing so with exactly the tested set of dependencies.

尚不清楚是否应始终将锁定文件提交到旨在包含在其他项目中的软件包中(需要更宽松的依赖关系).但是，纱线和NPM(如@Cyrille所述) )分别在必要时智能地忽略yarn.lock和package-lock.json，使始终提交这些锁文件的安全性变得如此.

It's less clear whether lock files should always be committed into packages that are intended to be included in other projects (where looser dependencies are desirable). However, both Yarn and NPM (as covered by @Cyrille) intelligently ignore yarn.lock and package-lock.json respectively where necessary, making it safe to always commit these lockfiles.

因此，您应该始终根据所使用的软件包管理器提交yarn.lock或package-lock.json 中的至少一个.

So you should always commit at least one of yarn.lock or package-lock.json depending on which package manager you're using.

目前，我们有两个不同的程序包管理系统，它们都从package.json安装相同的一组依赖项，但是从两个不同的锁定文件生成和读取. NPM 5生成package-lock.json，而Yarn生成yarn.lock.

At present we have two different package management systems, which both install the same set of dependencies from package.json, but which generate and read from two different lockfiles. NPM 5 generates package-lock.json, whereas Yarn generates yarn.lock.

如果提交package-lock.json，则表示正在支持使用NPM 5安装依赖项的人员.如果提交yarn.lock，则表示正在对使用Yarn安装依赖项的人员进行支持.

If you commit package-lock.json then you're building in support for people installing your dependencies with NPM 5. If you commit yarn.lock, you're building in support for people installing dependencies with Yarn.

是否选择提交yarn.lock或package-lock.json还是两者都取决于在项目上开发的是仅使用Yarn还是NPM 5或两者都使用.如果您的项目是开源的，那么对社区最友好的事情可能就是同时提交它们和有一个自动化的流程来确保yarn.lock和package-lock.json始终保持同步.

Whether you choose to commit yarn.lock or package-lock.json or both depends on whether those developing on your project are only using Yarn or NPM 5 or both. If your project is open-source, the most community-friendly thing to do would probably be to commit both and have an automated process to ensure yarn.lock and package-lock.json always stay in sync.

更新:纱线现已引入

Update: Yarn have now introduced an import command which will generate a yarn.lock file from a package-lock.json file. This could be useful for keeping the two files in sync. (Thanks @weakish)

在以下纱线项目中详细讨论了此问题:

This issues was discussed at length on the Yarn project in:

• 想法:从npm 5支持package-lock.json"
• 竞争的锁文件会产生不良的UX"

• "Idea: support package-lock.json from npm 5"
• "Competing lockfiles create poor UX"

两个都关闭了.