javascript – What is package-lock.json for?


Good time of the day. I read the NPM documentation, read the forums, but I still don't fully understand the meaning of this file.

Here's what is described on the npm documentation:

This file is intended to be committed to the original repositories and is intended for various purposes:

1) Describes a single view of the dependency tree so that teammates deploying the project are guaranteed to install the same dependencies.

2) Give users the ability to "travel in time" to previous states of node_modules without committing the directory itself.

3) To facilitate greater visibility of changes in the tree with readable control sources.

4) And streamline the installation process by letting npm skip duplicate installed packages.

The question is 1 point at once, because my package.json and package-lock.json not in the git ignore! They commit themselves. And as written in the same doc, when we do npm i , the package manager installs the dependencies, which are described in the package.json file. And after downloading the next library, we go inside it and install its dependencies (and so recursively). At this stage, package-lock.json simply displays information about which internal dependencies of the main libraries we downloaded. How does it help "guaranteed to install the same dependencies"?

And all this completely follows from point 3.

Well, I agree with point 4, in fact, if there is already such a package in node_modules (with the same version and hash), then it will not be installed. BUT, again, this information can be viewed not by package-lock.json , but in the dependencies of the main package, because almost every lib has an internal package.json . Ie we do not need an intermediate file.

Do I understand everything correctly? Please correct!


When you write jQuery: "1.3.*" in package.json jQuery: "1.3.*" He substitutes the largest number for the place of the asterisk at the moment, for example 1.3.7, you uploaded the project to the github, some person downloaded it to his computer a year later, clicked npm i and he downloaded 1.3.9 from the Internet because the developers have already downloaded the new version, and you have different versions. It seems like they are the same, but a friend has a bug, but you don’t have a bug. And the solution is to add node_modules to the git, which is an extremely wild solution. therefore, a simplified snapshot of the node_modules folder with all SPECIFIC versions installed there, this is the package-lock file.

You just don't push node_modules into the git, but this one file, and when Petya writes npm i it will have exactly the same versions as yours will be downloaded from the Internet.

Your cap)

Plus, when you do some operations via npm, if this file is there, the node does not need to run through node_modules and scan what versions are installed there, it just uses package-lock as a database

Scroll to Top