If I am always using definite versions of packages inside my package.json, what is the need of package-lock.json. Or other way to put this question is , If someone wants to use package-lock.json, why can't they just use definite versions of packages(1.2.3 and not ^1.2.3) inside package.json.
Asked
Active
Viewed 758 times
3
Ian MacDonald
- 13,472
- 2
- 30
- 51
Krupanand Shetty
- 33
- 2
-
1child package versions could still vary, couldn't they? – imjared Sep 11 '18 at 13:51
-
https://docs.npmjs.com/files/package-lock.json – Luca Kiebel Sep 11 '18 at 13:52
-
Take a look into the generated `package-json`. If it contains only the packages you listed in `package.json` then you probably don't need it. Otherwise you definitely need it because it locks the dependencies of your dependencies to some versions you cannot control otherwise. – axiac Sep 11 '18 at 15:13
-
@imjared If that is the case then you answered my question. I was under the impression that it is only for packages in my package.json. Thanks – Krupanand Shetty Sep 13 '18 at 15:56
1 Answers
1
The use of package-lock.json optimize the installation process because the full dependency tree is already calculated :
optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages. doc
And as @imjared mentionned, definite versions of package can still have dependencies on caret versions.
Gabriel Bleu
- 9,703
- 2
- 30
- 43