What is the role of the package-lock json

Question

npm 5 has been published  it has a new feature package-lock json file  after npm install  which confuses me  I want to know  what is the effect of this file

User · Answer

package-lock json is written to when a numerical value in a property such as the  version  property  or a dependency property is changed in package json   If these numerical values in package json and package-lock json match  package-lock json is read from   If these numerical values in package json and package-lock json do not match  package-lock json is written to with those new values  and new modifiers such as the caret and tilde if they are present  But it is the numeral that is triggering the change to package-lock json   To see what I mean  do the following  Using package json without package-lock json  run npm install with        name    test      version    1 0 0            devDependencies          sinon    7 2 2          package-lock json will now have    sinon        version    7 2 2     Now copy paste both files to a new directory  Change package json to  only adding caret         name    test      version    1 0 0            devDependencies          sinon     7 2 2          run npm install  If there were no package-lock json file  sinon 7 3 0 would be installed  npm install is reading from package-lock json and installing 7 2 2    Now change package json to         name    test      version    1 0 0            devDependencies          sinon     7 3 0          run npm install  package-lock json has been written to  and will now show    sinon        version     7 3 0

User · Answer

package-lock json is automatically generated for any operations where npm modifies either the node modules tree  or package json  It describes the exact tree that was generated  such that subsequent installs are able to generate identical trees  regardless of intermediate dependency updates  It describes a single representation of a dependency tree such that teammates  deployments  and continuous integration are guaranteed to install exactly the same dependencies It contains the following properties         quot name quot    quot mobileapp quot        quot version quot    quot 1 0 0 quot        quot lockfileVersion quot   1       quot requires quot   true       quot dependencies quot          quot  angular-devkit architect quot            quot version quot    quot 0 11 4 quot          quot resolved quot    quot https   registry npmjs org  angular- devkit architect - architect-0 11 4 tgz quot          quot integrity quot    quot sha512-2zi6S9tPlk52vyqNFg   quot          quot dev quot   true         quot requires quot              quot  angular-devkit core quot    quot 7 1 4 quot            quot rxjs quot    quot 6 3 3 quot

User · Answer

It s an very important improvement for npm  guarantee exact same version of every package    How to make sure your project built with same packages in different environments in a different time  Let s say  you may use  1 2 3 in your package json  or some of your dependencies are using that way  but how can u ensure each time npm install will pick up same version in your dev machine and in the build server  package-lock json will ensure that   npm install will re-generate the lock file  when on build server or deployment server  do npm ci  which will read from the lock file  and install the whole package tree

User · Answer

It stores an exact  versioned dependency tree rather than using starred versioning like package json itself  e g  1 0     This means you can guarantee the dependencies for other developers or prod releases  etc  It also has a mechanism to lock the tree but generally will regenerate if package json changes  From the npm docs   package-lock json is automatically generated for any operations where npm modifies either the node modules tree  or package json  It describes the exact tree that was generated  such that subsequent installs are able to generate identical trees  regardless of intermediate dependency updates  This file is intended to be committed into source repositories  and serves various purposes  Describe a single representation of a dependency tree such that teammates  deployments  and continuous integration are guaranteed to install exactly the same dependencies  Provide a facility for users to  quot time-travel quot  to previous states of node modules without having to commit the directory itself  To facilitate greater visibility of tree changes through readable source control diffs  And optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages  quot   Edit To answer jrahhali s question below about just using the package json with exact version numbers  Bear in mind that your package json contains only your direct dependencies  not the dependencies of your dependencies  sometimes called nested dependencies   This means with the standard package json you can t control the versions of those nested dependencies  referencing them directly or as peer dependencies won t help as you also don t control the version tolerance that your direct dependencies define for these nested dependencies  Even if you lock down the versions of your direct dependencies you cannot 100  guarantee that your full dependency tree will be identical every time  Secondly you might want to allow non-breaking changes  based on semantic versioning  of your direct dependencies which gives you even less control of nested dependencies plus you again can t guarantee that your direct dependencies won t at some point break semantic versioning rules themselves  The solution to all this is the lock file which as described above locks in the versions of the full dependency tree  This allows you to guarantee your dependency tree for other developers or for releases whilst still allowing testing of new dependency versions  direct or indirect  using your standard package json  NB  The previous shrink wrap json did pretty much the same thing but the lock file renames it so that it s function is clearer  If there s already a shrink wrap file in the project then this will be used instead of any lock file

User · Answer

This file is automatically created and used by npm to keep track of your package installations and to better manage the state and history of your project   s dependencies  You shouldn   t alter the contents of this file

User · Answer

One important thing to mention as well is the security improvement that comes with the package-lock file  Since it keeps all the hashes of the packages if someone would tamper with the public npm registry and change the source code of a package without even changing the version of the package itself it would be detected by the package-lock file

User · Answer

package-lock json  It contains the exact version details that is currently installed for your Application

[npm] What is the role of the package-lock.json?

Examples related to npm