lockignore v1.0.14
.lockignore for NPM
Introduction
In recent years, NPM has become the most widely used package system in the world. NPM has a good way of dealing with package dependencies that allows us to install and upgrade packages when needed.
As you probably know; with the first package installed, NPM also creates a file called "package-lock.json". The purpose of this file is to be able to have a locked state when it comes to which versions of dependencies are used.
This is a good thing, but sometimes you experience that you would have liked a package to always be updated to the latest version automatically.
A typical scenario for this is how we build modern applications with micro frontends;
Imagine that you have an application stack that consists of several micro front ends. Divided between these micro applications, you have one or more shared components. For example. a menu, header, access control or similar.
Since the platform consists of several different applications, you are dependent on updating all the apps if you make a sufficient update of the trap component.
Having to go through updating "package-lock.json" for all these apps for an update in the common component seems pointless and unnecessary. It would only be better if we could say that this private package (which I myself maintain), should always be updated automatically by an automated build and rollout of the platform.
This is exactly what lockignore does. It gives you the possibility to add a file called ".lockignore" to your repository, and in this file list all packages you would like "package-lock.json" to ignore.
Getting started
- Install lockingore as a package to your project
yarn add lockignore
or
npm install --save lockignore
- Create a ".lockignore" file to the root of your repo containing the packages you would like "package-lock.json" to ignore when updating.
@scope/package1
@scope/package2
- In your package.json file, add a "postinstall" property under the "script" containing "./node_modules/.bin/lockignore".
"scripts": {
"postinstall": "./node_modules/.bin/lockignore"
}
Example of whole package.json
{
"name": "testoflockignore",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"postinstall": "./node_modules/.bin/lockignore",
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC",
"dependencies": {
"lockignore": "^1.0.4",
"express": "^4.17.1",
"mocha": "^9.1.3",
"@scope/package1": "^1.0.0",
"@scope/package2": "^2.0.0"
}
}
- Make sure that .lockignore is included in your docker build process Example in dockrfile
COPY yarn.lock package.lock .lockignore ./
How does it work
Lockignore is just a simple script that will run yarn upgrade @scope/package1 or npm upgrade @scope/package1 as prescript to install.