| 17 Nov 2025 |
 dish [Fox/It/She] | In reply to @tomodachi94:matrix.org
He wrote a very famous thing about how lockfiles are for "apps, not CLIs"... which makes his stance very confusing yeah I've never understood that stance | 03:53:34 |
| dish [Fox/It/She] | especially since it costs him nothing to maintain a lockfile | 03:53:45 |
| dish [Fox/It/She] | frankly npm should remove the option to disable package-lock.json generation | 03:54:25 |
| dish [Fox/It/She] | though then it just gets added to gitignore and i get sad | 03:54:46 |
 Tomodachi94 (they/them) | I'm thinking about maybe having a nix-community repo for storing lockfiles of projects that don't like them... then we can do fetchurl from the repository maybe? | 03:55:25 |
| Tomodachi94 (they/them) | (I feel like maybe this, or something like it, has been proposed before somewhere?) | 03:56:12 |
| dish [Fox/It/She] | In reply to @tomodachi94:matrix.org
I'm thinking about maybe having a nix-community repo for storing lockfiles of projects that don't like them... then we can do fetchurl from the repository maybe? RFC 0191 by yours truly 😉 | 03:56:15 |
| dish [Fox/It/She] | i need to work on that more though | 03:56:28 |
| dish [Fox/It/She] | just been burnt out on that front, but I think it would overall be a good thing | 03:56:44 |
| dish [Fox/It/She] | also frankly i want to unify the JS dependency fetchers (fetchNpmDeps, fetchYarnDeps, pnpm.fetchDeps, and the new fetchDenoDeps) cuz theres too much divergence between them | 03:57:57 |
| dish [Fox/It/She] | one's rust(npm), one's js(yarn1), two use the upstream package manager(pnpm, yarnBerry) and one is a TS/Rust hybrid(deno) | 03:59:02 |
| dish [Fox/It/She] | and we dont even have bun yet(though that is also being worked on?) | 03:59:21 |
| Tomodachi94 (they/them) | I'm going to check how big the generated lockfile ends up being. If it's pretty small it might commit it? | 03:59:26 |
| dish [Fox/It/She] | * also frankly i want to unify the JS dependency fetchers (fetchNpmDeps, fetchYarnDeps, pnpm.fetchDeps, and the still in PR fetchDenoDeps) cuz theres too much divergence between them | 04:00:00 |
| Tomodachi94 (they/them) | As for lockfile maintenance for applications: my opinion is that lockfiles don't need to be updated on every single change, but definitely do it right before a release... but unfortunately this is not Sorhus' opinion | 04:00:49 |
| dish [Fox/It/She] | oh yeah if ur updating ur lockfile constantly thats an issue | 04:01:16 |
| dish [Fox/It/She] | cuz then you just have constant merge conflicts | 04:01:39 |
| dish [Fox/It/She] | In reply to @tomodachi94:matrix.org
I'm going to check how big the generated lockfile ends up being. If it's pretty small it might commit it? fine to commit to nixpkgd if its small, but considering the number of deps it has listed im skeptical | 04:04:14 |
| dish [Fox/It/She] | * <mx-reply><blockquote><a href="https://matrix.to/#/!NhAsaYbbgmzHtXTPQJ:funklause.de/$xBdgzYhGxTCUBRIj8B3BJNlm-M_VCjTGCKiXnqwea2k?via=pyrox.dev&via=matrix.org&via=nixos.dev">In reply to</a> <a href="https://matrix.to/#/@tomodachi94:matrix.org">@tomodachi94:matrix.org</a><br />I'm going to check how big the generated lockfile ends up being. If it's pretty small it might commit it?</blockquote></mx-reply>fine to commit to nixpkgs if its small, but considering the number of deps it has listed im skeptical | 04:04:25 |
| dish [Fox/It/She] | * <mx-reply><blockquote><a href="https://matrix.to/#/!NhAsaYbbgmzHtXTPQJ:funklause.de/$xBdgzYhGxTCUBRIj8B3BJNlm-M_VCjTGCKiXnqwea2k?via=pyrox.dev&via=matrix.org&via=nixos.dev">In reply to</a> <a href="https://matrix.to/#/@tomodachi94:matrix.org">@tomodachi94:matrix.org</a><br />I'm going to check how big the generated lockfile ends up being. If it's pretty small it might commit it?</blockquote></mx-reply>fine to commit to nixpkgs if its small, but considering the number of deps it has listed in node-packages.nix im skeptical | 04:04:40 |
| Tomodachi94 (they/them) | 308 kB... so pretty big | 04:06:10 |
| dish [Fox/It/She] |
.>
| 04:06:23 |
| dish [Fox/It/She] | * ugh | 04:06:32 |
| dish [Fox/It/She] | yeah thats... a bit much for me to be okay with someone committing it | 04:07:04 |
| Tomodachi94 (they/them) | Is it acceptable to have the lockfile fetched from a repository I maintain? | 04:07:04 |
| dish [Fox/It/She] | i'd be fine with that | 04:07:51 |
| Tomodachi94 (they/them) | "https://github.com/tomodachi94/package-lock.json-locker is my name, and basically being a CDN is my game" | 04:14:34 |
| Tomodachi94 (they/them) | * | 04:15:06 |
 dotlambda | In reply to @tomodachi94:matrix.org
Is it acceptable to have the lockfile fetched from a repository I maintain? I don't think that's a good idea before there's consensus on doing so.
And such a repo should probably be hosted under the NixOS org and come with a bot that regularly updates each lock file and then opens a Nixpkgs PR.
Or at least updateScripts should be able to update the lock files, so we'd need some way of telling the bot to commit the lock file for a new version | 04:23:15 |
| Tomodachi94 (they/them) | Hmm, I wonder if maybe he'd be okay with a lockfile getting attached to a GitHub Release automatically by a GitHub Action | 04:34:12 |
