What is package-lock.json for?

[ditto]

I am preparing to manually upgrade WHMCS from 7.2.3 to 7.5.1. Looking at the new files in 7.5.1 I find a new file named package-lock.json directly in public_html. What is that file for? Is it added there by a mistake? Can I delete it?

[WHMCS John]

Hi @ditto,

UPDATE: Refer to the following: https://whmcs.community/topic/289325-what-is-package-lockjson-for/?do=findComment&comment=1304328

[Medicomart]

You should already have a package-lock.json file if you're running 7.2.3.

 

http://www.medicomart.in

[yggdrasil]

On 6/21/2018 at 1:22 PM, WHMCS John said:

Hi @ditto,

You should already have a package-lock.json file if you're running 7.2.3.

This file is part of javascript package management, it is required, and should be left in place.

Are you sure about this John? There is no reason why this should be left in your online server as far as I'm aware on other softwares. That file is the Node JS output on the developer machine while generating source files. People are not running Node JS on their WHMCS servers so its useless. Of course I might be completely wrong but I'm curious why its advised leaving that redundant config file in place on a live production installation (not development system).

The less information you are giving attackers about the files running on a WHMCS installation the better. Listing all the versions to the whole world on what you are using seems like a bad idea.

[WHMCS John]

Hi there,

The development team have let me know that they'd prefer not to ship the packages-lock.json file, and so it has been removed from the 7.6 distro.

This file can be deleted safely.

[yggdrasil]

3 hours ago, WHMCS John said:

Hi there,

The development team have let me know that they'd prefer not to ship the packages-lock.json file, and so it has been removed from the 7.6 distro.

This file can be deleted safely.

Great. Thank you.