Should I store version in Gemfile/package.json?

#dev #javascript #ruby

tl;dr

No, unless an update breaks your system. Gemfile.lock/yarn.lock is for that.

To answer this question I tried get into the problem that not storing the version in the Gemfile/package.json should solve.

Gemfile and Bundle

Let’s say that I have this simple Gemfile:

source "https://rubygems.org"

gem "sinatra", "1.0.0"

And Gemfile.lock:

GEM
  remote: https://rubygems.org/
  specs:
    rack (2.0.6)
    sinatra (1.0)
      rack (>= 1.0)

PLATFORMS
  ruby

DEPENDENCIES
  sinatra (= 1.0.0)

BUNDLED WITH
   1.16.3

Now I am going to uninstall all the gems, remove that '= 1.0.0' from Gemfile, and run bundle install.

Guess what!? The same version 1.0.0 of sinatra got installed.

package.json and npm

Let’s say that I have this package.json:

{
  "name": "app",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "express": "= 3.0.0"
  }
}

And this package-lock.json.

I’m going to do the same thing: remove node_modules, remove the version lock (replace = 3.0.0 with *), and run npm install again.

Bazinga! npm installed the version 3.0.0 again!

package.json and yarn

Let’s say that I have this package.json (the same as before):

{
  "name": "app",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "express": "= 3.0.0"
  }
}

And this yarn.lock.

I’m going to do the same thing: remove node_modules, remove the version lock (replace = 3.0.0 with *), and run yarn install again.

💥 BOOM!!! It is broken! yarn installs the latest version version of express.

Well, I don’t know you but if some feature is in 2 (out of 3) package managers it seems to be the right one.