npm@5 has been published, it has a new feature package-lock.json
file (after npm install
) which confuses me. I want to know, what is the effect of this file?
This question is related to
npm
package-lock.json
: It contains the exact version details that is currently installed for your Application.
One important thing to mention as well is the security improvement that comes with the package-lock file. Since it keeps all the hashes of the packages if someone would tamper with the public npm registry and change the source code of a package without even changing the version of the package itself it would be detected by the package-lock file.
It's an very important improvement for npm: guarantee exact same version of every package.
How to make sure your project built with same packages in different environments in a different time? Let's say, you may use ^1.2.3
in your package.json
, or some of your dependencies are using that way, but how can u ensure each time npm install
will pick up same version in your dev machine and in the build server? package-lock.json will ensure that.
npm install
will re-generate the lock file, when on build server or deployment server, do npm ci
(which will read from the lock file, and install the whole package tree)
This file is automatically created and used by npm to keep track of your package installations and to better manage the state and history of your project’s dependencies. You shouldn’t alter the contents of this file.
package-lock.json is automatically generated for any operations where npm modifies either the node_modules tree, or package.json. It describes the exact tree that was generated, such that subsequent installs are able to generate identical trees, regardless of intermediate dependency updates.
It describes a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.It contains the following properties.
{
"name": "mobileapp",
"version": "1.0.0",
"lockfileVersion": 1,
"requires": true,
"dependencies": {
"@angular-devkit/architect": {
"version": "0.11.4",
"resolved": "https://registry.npmjs.org/@angular- devkit/architect/-/architect-0.11.4.tgz",
"integrity": "sha512-2zi6S9tPlk52vyqNFg==",
"dev": true,
"requires": {
"@angular-devkit/core": "7.1.4",
"rxjs": "6.3.3"
}
},
}
package-lock.json
is written to when a numerical value in a property such as the "version" property, or a dependency property is changed in package.json
.
If these numerical values in package.json
and package-lock.json
match, package-lock.json
is read from.
If these numerical values in package.json
and package-lock.json
do not match, package-lock.json
is written to with those new values, and new modifiers such as the caret and tilde if they are present. But it is the numeral that is triggering the change to package-lock.json
.
To see what I mean, do the following. Using package.json
without package-lock.json
, run npm install
with:
{
"name": "test",
"version": "1.0.0",
...
"devDependencies": {
"sinon": "7.2.2"
}
}
package-lock.json
will now have:
"sinon": {
"version": "7.2.2",
Now copy/paste both files to a new directory. Change package.json
to (only adding caret):
{
"name": "test",
"version": "1.0.0",
...
"devDependencies": {
"sinon": "^7.2.2"
}
}
run npm install
. If there were no package-lock.json
file, [email protected] would be installed. npm install
is reading from package-lock.json
and installing 7.2.2.
Now change package.json
to:
{
"name": "test",
"version": "1.0.0",
...
"devDependencies": {
"sinon": "^7.3.0"
}
}
run npm install
. package-lock.json
has been written to, and will now show:
"sinon": {
"version": "^7.3.0",
Source: Stackoverflow.com