Question: how to suppress commit of package-lock.json? #1936
-
When I use semantic-release in a non-Node.js project, a package-lock.json file is committed to the repository as part of the commit that updates the CHANGELOG.md file. Here is an example. This occurred after I had previously done the following to this project yesterday:
But despite those two commits that were merged into the project yesterday, after merging in a PR today and triggering the semantic-release deploy stage, package-lock.json has been committed to the repo again. The main reason that I would like to avoid having package-lock.json committed as part of this project is to avoid inadvertent vulnerability alerts displayed by github based on the dependencies contained in package-lock.json. Is there a trick to avoiding the creation/update of this file by semantic-release? Thanks in advance for any help on this! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
you have a couple of options: if you truly do not want to use a lockfile for the project, the recommended way would be to actually disable npm from generating one in the first place by configuring alternatively, you can configure |
Beta Was this translation helpful? Give feedback.
you have a couple of options:
if you truly do not want to use a lockfile for the project, the recommended way would be to actually disable npm from generating one in the first place by configuring
package-lock=false
in your.npmrc
file.alternatively, you can configure
assets
for the@semantic-release/git
plugin. as you can see from the docs of that plugin,package-lock.json
is included in the default list.