Tom MacWright

Read your lockfiles

🎉 Programming pro tip I guess 🎉

If you’re writing JavaScript, Rust, or a bunch of other languages, then you’ll typically have dependencies, tracked by something like package.json or Cargo.toml. When you install those dependencies, they require sub-dependencies, which are then frozen in place using another file, which is package-lock.json, or Cargo.lock, or yarn.lock, or pnpm-lock.yaml, depending on nitpicky details of your development environment.

Here’s the tip: read that file. Maybe don’t read it top-to-bottom, but when you install a new module, look at it. When you’re figuring out what dependency to add to your project for some new problem you have, look at the file, because that dependency might already be in there! And if you’re using modules from people you respect in package.json, reading the lockfile gives you a sense of what dependencies and people those people respect. You can build a little social graph in your head.

Now, dependencies, I know: it’s better to have fewer of them. Managing them is grunt-work. But few projects can do without them, and learning good habits around managing and prioritizing them is pretty beneficial. They’re also a reflection of a real social element of programming that you are part of if you’re a programmer.