Do I commit the package-lock.json file created by npm 5?

Question

npm 5 was released today and one of the new features include deterministic installs with the creation of a package-lock.json file.

Is this file supposed to be kept in source control?

I'm assuming it's similar to yarn.lock and composer.lock, both of which are supposed to be kept in source control.

Answer 1

Yes definitely, you should commit the package-lock.json.

Also, I would highly recommend to use npm ci instead of npm install while building your applications both on your CI as well as on your local development machine, and that workflow would require the existence of a package-lock.json.

Why not to use npm install? 

A huge downside of npm install command is that it may mutate the package-lock.json, on the other hand, npm ci only uses the versions specified in the lockfile, but most importantly it produces an error if the package-lock.json and package.json are out of sync.

So, running npm ci locally, especially in larger teams with multiple developers, is a good decision to stay away from conflicts.