Yarn.lock and package-lock.json potential conflict - is yarn.lock still needed?
rmcsharry opened this issue · 1 comments
rmcsharry commented
It seems to me that the project should not have both of these lock files, it leads to confusion. Which package manager is being used, npm or yarn?
For example, I had assumed it was npm and so the PR to upgrade axios was created based on that. But notice that the yarn.lock file still specifies the previous (vulnerable) version of axios.
I think yarn.lock should be deleted, yes?
Auspicus commented
Yarn will use a package-lock.json file if a yarn.lock file is not present. We can safely remove yarn.lock.