Good time of the day.
I read the NPM documentation, read the forums, but I still don’t quite understand the meaning of this file.
This is what the npm documentation says:
This file is for committing to the original repositories and
intended for various purposes:
1) Describes a single view of the dependency tree for companions
on command, deploying the project is guaranteed
installed the same dependencies.
2) Give users the ability to “travel in time” to
previous states of node_modules without committing the directory itself.
3) To make changes in the tree more visible with readable
4) And streamline the installation process by letting npm skip
duplicate installed packages.
Question 1 point at once, because I have
package-lock.json not in the ignore! They commit.
And as written in the same doc, when we do
npm i , the package manager installs the dependencies that are described in the
And after downloading the next library, we go inside it and install its dependencies (and so recursively).
At this stage,
package-lock.json simply displays information about which internal dependencies of the main libraries we have downloaded.
How does it help you “ensured the same dependencies”?
And this all fully follows from paragraph 3.
Well, I agree with point 4, in fact, if there is already such a package in
node_modules (with the same version and hash), then it will not be installed. BUT, again, this information can be viewed not by
package-lock.json , but in the dependencies of the main package, because almost every lib has an internal
package.json . That is, we do not need an intermediate file.
Do I understand everything correctly? Please correct!
Answer 1, authority 100%
Besides dependencies, package.json is also used to define project properties, description, author and license information, scripts, while package-lock.json used exclusively to block dependencies on a specific version number.
Package-lock.json is optional in the project.
Also, to disable the automatic creation of this file, you can write package-lock = false
Answer 2, authority 97%
When you write
jQuery: "1.3. *" in package.json, it substitutes the largest digit for the place of the asterisk at the moment, for example 1.3.7, you uploaded the project to the github, some kind of person a year later I downloaded it to my computer, pressed npm i and it downloaded 1.3.9 from the Internet because the developers have already downloaded the new version, and you have different versions. It seems like the testimonies are the same, but a friend has a bug, but you don’t have a bug. And the solution is to add node_modules to the git, which is an extremely wild solution. therefore, a simplified snapshot of the node_modules folder with all SPECIFIC versions installed there, this is the package-lock file.
You just don’t push node_modules into the git, but this one file, and when Petya writes npm i it will have exactly the same versions as yours will be downloaded from the Internet.
Plus, when you do some operations via npm, if this file exists, the node does not need to run through node_modules and scan what versions are installed there, it just uses package-lock as a database
Answer 3, authority 10%
Fixing package versions is its purpose.
However, using the
npm install command does not guarantee the installation of the same package versions that were fixed in
Depending on what is written in
package.json before the version of the package (I mean the symbols
^ ), the packages will still be updated, and
package-lock.json has been modified by
npm itself to reflect the installed updates.
This behavior is highly discouraged during automatic project builds and when installing packages (also automatic during
CI scripts) to run tests.
There is a command
npm ci for this.
According to the documentation , before installing packages using this command, the project folder
node_modules will be removed.
When re-installing packages with fixed versions, the resulting
node_modules may be different as dependencies may be updated. To achieve a deterministic installation, npm uses the
package-lock.json file, which explicitly describes all versions of all dependencies.
When you run the
npm i command, the installer gets a list of project dependencies from
package.json and updates
package-lock.json when they are installed, writing there a complete tree of dependencies with the necessary meta information.
To install packages from
package-lock.json , you need to use another command –
npm ci . This command installs all dependencies, creating an identical dependency tree when
npm i was last run.
In addition to being deterministic,
npm ci gives a very good increase in the speed of installing packages, so it is most often used in CI systems.