Open
Description
New Feature / Enhancement Checklist
- I am not disclosing a vulnerability.
- I am not just asking a question.
- I have searched through existing issues.
Current Limitation
It is currently undefined if and when package-lock.json should be completely regenerated.
The current approach seems to allow (partial) updates when:
- snyk updates
- a PR requires un-/install of a dependency
The limitations of that seem to be:
- snyk only updates for security vulnerabilities
- a PR requiring un-/install of a dependency comes along at irregular points in time and - if I'm not mistaken - does not regenerate the whole file.
The effect seem to be that sub-dependencies of packages that use range operators do not get updated. This is especially true for packages with low release frequency.
From a package deployment perspective, package-lock.json should be touched with care as it ensures a consistent dependency tree across deployments. However, from a package development perspective, regularly rebuilding package-lock.json seems a necessity due to the common use of range operators in dependencies.
Suggestion
Regularly completely regenerate package-lock.json in a dedicated PR. Possibly automated.