Home javascript What is package-lock.json for?

What is package-lock.json for?




Good time of the day.
I read the NPM documentation, read the forums, but I still don’t quite understand the meaning of this file.

This is what the npm documentation says:

This file is for committing to the original repositories and
intended for various purposes:

1) Describes a single view of the dependency tree for companions
on command, deploying the project is guaranteed
installed the same dependencies.

2) Give users the ability to “travel in time” to
previous states of node_modules without committing the directory itself.

3) To make changes in the tree more visible with readable
control sources.

4) And streamline the installation process by letting npm skip
duplicate installed packages.

Question 1 point at once, because I have package.json and package-lock.json not in the ignore! They commit.
And as written in the same doc, when we do npm i , the package manager installs the dependencies that are described in the package.json file.
And after downloading the next library, we go inside it and install its dependencies (and so recursively).
At this stage, package-lock.json simply displays information about which internal dependencies of the main libraries we have downloaded.
How does it help you “ensured the same dependencies”?

And this all fully follows from paragraph 3.

Well, I agree with point 4, in fact, if there is already such a package in node_modules (with the same version and hash), then it will not be installed. BUT, again, this information can be viewed not by package-lock.json , but in the dependencies of the main package, because almost every lib has an internal package.json . That is, we do not need an intermediate file.

Do I understand everything correctly? Please correct!

Answer 1, authority 100%

Besides dependencies, package.json is also used to define project properties, description, author and license information, scripts, while package-lock.json used exclusively to block dependencies on a specific version number.

Package-lock.json is optional in the project.
Also, to disable the automatic creation of this file, you can write package-lock = false

in .npmrc

Answer 2, authority 97%

When you write jQuery: "1.3. *" in package.json, it substitutes the largest digit for the place of the asterisk at the moment, for example 1.3.7, you uploaded the project to the github, some kind of person a year later I downloaded it to my computer, pressed npm i and it downloaded 1.3.9 from the Internet because the developers have already downloaded the new version, and you have different versions. It seems like the testimonies are the same, but a friend has a bug, but you don’t have a bug. And the solution is to add node_modules to the git, which is an extremely wild solution. therefore, a simplified snapshot of the node_modules folder with all SPECIFIC versions installed there, this is the package-lock file.

You just don’t push node_modules into the git, but this one file, and when Petya writes npm i it will have exactly the same versions as yours will be downloaded from the Internet.

Your cap)

Plus, when you do some operations via npm, if this file exists, the node does not need to run through node_modules and scan what versions are installed there, it just uses package-lock as a database

Answer 3, authority 10%

Fixing package versions is its purpose.
However, using the npm install command does not guarantee the installation of the same package versions that were fixed in package-lock.json .
Depending on what is written in package.json before the version of the package (I mean the symbols ~ and ^ ), the packages will still be updated, and package-lock.json has been modified by npm itself to reflect the installed updates.
This behavior is highly discouraged during automatic project builds and when installing packages (also automatic during CI scripts) to run tests.

There is a command npm ci for this.
According to the documentation , before installing packages using this command, the project folder node_modules will be removed.

Answer 4

When re-installing packages with fixed versions, the resulting node_modules may be different as dependencies may be updated. To achieve a deterministic installation, npm uses the package-lock.json file, which explicitly describes all versions of all dependencies.

When you run the npm i command, the installer gets a list of project dependencies from package.json and updates package-lock.json when they are installed, writing there a complete tree of dependencies with the necessary meta information.

To install packages from package-lock.json , you need to use another command – npm ci . This command installs all dependencies, creating an identical dependency tree when npm i was last run.

In addition to being deterministic, npm ci gives a very good increase in the speed of installing packages, so it is most often used in CI systems.

Programmers, Start Your Engines!

Why spend time searching for the correct question and then entering your answer when you can find it in a second? That's what CompuTicket is all about! Here you'll find thousands of questions and answers from hundreds of computer languages.

Recent questions