lockignore v1.0.14

.lockignore for NPM

Introduction

In recent years, NPM has become the most widely used package system in the world. NPM has a good way of dealing with package dependencies that allows us to install and upgrade packages when needed.

As you probably know; with the first package installed, NPM also creates a file called "package-lock.json". The purpose of this file is to be able to have a locked state when it comes to which versions of dependencies are used.

This is a good thing, but sometimes you experience that you would have liked a package to always be updated to the latest version automatically.

A typical scenario for this is how we build modern applications with micro frontends;

Imagine that you have an application stack that consists of several micro front ends. Divided between these micro applications, you have one or more shared components. For example. a menu, header, access control or similar.

Since the platform consists of several different applications, you are dependent on updating all the apps if you make a sufficient update of the trap component.

Having to go through updating "package-lock.json" for all these apps for an update in the common component seems pointless and unnecessary. It would only be better if we could say that this private package (which I myself maintain), should always be updated automatically by an automated build and rollout of the platform.

This is exactly what lockignore does. It gives you the possibility to add a file called ".lockignore" to your repository, and in this file list all packages you would like "package-lock.json" to ignore.

Getting started

1. Install lockingore as a package to your project

yarn add lockignore

or

npm install --save lockignore

2. Create a ".lockignore" file to the root of your repo containing the packages you would like "package-lock.json" to ignore when updating.

@scope/package1
@scope/package2

3. In your package.json file, add a "postinstall" property under the "script" containing "./node_modules/.bin/lockignore".

  "scripts": {
    "postinstall": "./node_modules/.bin/lockignore"
  }

Example of whole package.json

{
  "name": "testoflockignore",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "postinstall": "./node_modules/.bin/lockignore",
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "lockignore": "^1.0.4",
    "express": "^4.17.1",
    "mocha": "^9.1.3",
    "@scope/package1": "^1.0.0",
    "@scope/package2": "^2.0.0"
  }
}

4. Make sure that .lockignore is included in your docker build process Example in dockrfile

COPY yarn.lock package.lock .lockignore ./

How does it work

Lockignore is just a simple script that will run yarn upgrade @scope/package1 or npm upgrade @scope/package1 as prescript to install.