Vaadin automatically update versions in package-lock.json

Question

I`m using Vaadin version 14.1.5

According to migration guide, it not needed to add package-lock.json to version control, if I don`t edit it But today, without any changes in vaadin version, versions in package-lock.json was updated automatically, and out UI was broken without any changes by hands, just on next rebuild.

Why is this happened? Does it means, that I should always commit my package-lock.json stable version? Or what is correct pattern for working with dependencies in vaadin?

Answer 1

There is a regression in a transitive dependency release from last night used by Webpack to build the frontend files (affecting modern ES6 browsers in this case). In case you remove the package-lock.json file in your 14 / 15 project, you will likely get a broken frontend build artifact for production build (output of build-frontend).

We are shipping fixes for 14.1 & 14.2 and 15. In case you have removed the lock file and you need to build things today, you can workaround this by adding the following pin to the package.json:

"terser": "4.6.7",

We are taking steps to make sure this does not repeat - that the dependencies used by the frontend build (not in the app itself) are also locked and can be relied on.