Commit lockfile for consistent CI and installs

[uncenter]

Lockfiles exist to guarantee consistency across installs, especially in CI tests! This is a fresh lockfile from a fresh clone and install, and all tests are passing.

[zachleat]

What are the drawbacks to checking in the lockfile?

• Minor updates in dependencies must be opted into at the project level, right?
• Increase in source conflicts

Others?

[uncenter]

Minor updates in dependencies must be opted into at the project level, right?

Can you elaborate?

Increase in source conflicts

Sure, but that's easily resolved and doesn't outweigh the benefits of consistent package versioning in different environments.

[Aankhen]

What are the drawbacks to checking in the lockfile?

• Minor updates in dependencies must be opted into at the project level, right?

• Increase in source conflicts

Others?

That seems like a fair summary. I’d like to emphasize for clarity that all changes to dependencies must be explicit, whether minor or major, upgrade or downgrade, etc. I agree with uncenter that conflicts in lockfiles are generally trivial to resolve, especially outside a monorepo, but that’s certainly a non-zero cost that should be considered.

(As for the more general question, I’m entirely on the side of committing it.)