Lock toolchain dependencies' version

[634750802]

What problem does this feature solve?

CI always reinstall packages, and it's difficult to find the problem from toolchains like webpack or babel. Locking the dependencies' version helps.

See issue webpack/webpack#8656.

What does the proposed API look like?

None

[LinusBorg]

That problem wouldn't really have been avoided by us locking dependencies.

Plus, this means that we would have to update our own packages daily, practically speaking. Because otherwise we would risk missing patch releases.

Your project has a lock file which locks your dependencies anyway, so i don't see any worthwhile advantage in your proposal

[634750802]

Thanks for reply. The fact is, I didn't know when webpack updates from v4.28.* to v4.29.0, I have to track all @vue/cli-service dependencies to find if I was wrong (My bad for not checking github issues first :)).

The cli-service is really a complicated program, how about locking the minor version to reduce the risk from other dependencies?

[Akryum]

You should either have a package-lock.json or a yarn.lock file in your project if you use npm or yarn. This files already contains all the versions of all the installed packages in node_modules no matter if they are direct or transitive (dependencies of other packages). Your CI will either run npm install or yarn, which will install the exact same versions.

[634750802]

What if I upgrade some packages like @vue/cli-service? It always requires the latest version of webpack 4.

[Akryum]

Unless you delete your lock file or we manually change the version in @vue/cli-service package.json, the webpack version won't change.

[634750802]

It’s Wired, I haven’t deleted my lock file, but the webpack version just changed.