Why does the repo not have a package manager lock file?

[daradermody]

Lock files should generally be commited to a repo because it could cause a lot of issue otherwise. Without it, builds are no longer deterministic:

• New G6 patch versions might have bugs (or malicious code) introduced from changes in dependency versions, and it will not be obvious why since you wouln't be able to reproduce locally without deleting node_modules and reinstalling
• Every developer might have a slightly different version because dependencies had different versions available when they set up their repo locally,
• You will not be able to easily determine what versions of packages were in each G6 version, and therefore not be able to easily reproduce any G6 version locally

So I was wondering what the reason was for not having one.

[petercat-assistant[bot]]

The absence of a package manager lock file in a repository can indeed lead to the issues you've mentioned, such as non-deterministic builds and difficulties in reproducing specific versions. However, the decision to include or exclude a lock file can depend on various factors, including the project's development workflow, the team's preferences, or specific technical reasons.

In some cases, projects might choose not to commit lock files to avoid conflicts in multi-developer environments or because they rely on other methods to ensure consistency across environments. It's also possible that the lock file is intentionally excluded to encourage the use of the latest compatible versions of dependencies.

To get a definitive answer, it would be best to reach out to the maintainers of the antvis/G6 repository directly through their GitHub discussions or issues page. They might provide insights into their reasoning for not including a lock file.

If you have any more questions or need further assistance, feel free to ask!

🪧 Tips

For further assistance, please describe your question in the comments and @petercat-assistant to start a conversation with me.