4

Can anyone please let me know the exact use of package-lock.json file ?

Though many have mentioned that it is used for viewing the versioned dependency tree.

Looking for simple and easier explanation.

Thanks in advance.

Johnson Samuel
  • 2,046
  • 2
  • 18
  • 29

2 Answers2

3

npm install uses this file to make sure that the packages it is going to install are the same as specified in this file. It makes the npm install operation consistent across different machines. Thus, you will be less likely to nuke the node_modules folder.

In addition to a more consistent packages view, GitHub also uses package-lock.json to scan if your repository contains known security vulnerability.

You can use lock-walker to visually walk the dependency tree in package-lock.json - especially useful when checking out a security vulnerability.

Carolus
  • 477
  • 4
  • 16
Compulim
  • 1,148
  • 10
  • 18
1

I think that npm documention is quite explanatory. Its main purpose is to provide

single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.

so that for example on a different system and/or by different people, the same dependencies (and same versions) will be used. For a better explanation see this

Hope this helps.

gtosto
  • 1,381
  • 1
  • 14
  • 18
  • Thanks @gtosto. I did read the same in npm doc. I saw 'install exactly the same dependencies', doesnt package.json work the same way now ? – Johnson Samuel Oct 10 '17 at 08:45
  • in the package.json you can specify wildcard for example and usually you don't _control_ the version of transitive dependencies. The package-lock.json instead is more or less like a snapshot or instance of a particular dependency resolution "run". – gtosto Oct 10 '17 at 09:42
  • 1
    For a better exaplanation read [this](https://docs.npmjs.com/files/package-locks) abaout package locks in npm – gtosto Oct 10 '17 at 09:51