How to handle /vendor and lock-files?

[BeyondEvil]

New to the wonderful world of Kubernetes and Tanka, so perhaps this is as noob as it gets. But I'm OK with that. :)

What's the common strategy/best practice when working with 3:rd party dependencies?

• Should /vendor be checked in? What are the pros and cons?
• Should jsonnetfile.lock.json be checked in? That doesn't seem to be the case in grafana/jsonnet-libs. Pros and cons?

My background is python/js/go, and there the best practices are clear regarding these types of concepts.

[sh0rez]

This highly depends whether your project is consuming libraries (infra repo, etc), or is a library itself.

Consumers:
They should check in at least jsonnetfile.json and jsonnetfile.lock.json, as those are required to correctly reproduce the dependency graph of your project, which is crucial.

Whether to check in vendor itselfs depends on your liking. It has the benefit of easily reviewing changes in dependecies, as they are in the actual PR to your own repo, but it may increase repo size quite a bit.

Libraries:
They should only check in jsonnetfile.json, but not vendor or the lockFile.

Because grafana/jsonnet-libs is a collection of libraries and not a consumer of those, it does not have a lockFile.

[BeyondEvil]

This makes sense.

Thank you! 🙏 🙇