1

npm-shrinkwrap.json: Lock down the node_modules tree as well as dependencies and nested dependencies to prevent the package code breaking on other machines.

package-lock.json: Lock down the node_modules tree as well as dependencies and nested dependencies to prevent the package code breaking on other machines.

So, why package-lock.json is created if npm already have the npm-shrinkwrap.json for locking purpose?

Why they created the new package-lock.json file to born the issues of npm version compatibility because developers are already using the npm-shrinkwrap.json?

Any simple, easy and well-explained answer with example?

2 Answers2

1

npm publishes most files in your source directory by default, and people have been publishing shrinkwraps for years. We didn't want to break compatibility. With --save and shrinkwrap by default, there was a great risk of it accidentally making it in and propagating through the registry and basically render our ability to update deps and dedupe... null.

So we chose a new name. And we chose a new name kind of all of a sudden. The new lockfile shares basically all of the same code, the exact same format

The idea is definitely for package-lock.json to be the Latest and Greatest in shrinkwrap technology, and npm-shrinkwrap.json to be reserved for those folks who care very much about their libraries having an exact node_modules -- npm-shrinkwrap had some special dependency-behavior settings what package-lock doesn't have now

Nima Bastani
  • 43
  • 7
  • "_npm-shrinkwrap had some special dependency-behavior settings what package-lock doesn't have now_" I believe this was fixed by using `npm ci` with `package-lock.json`. – Leponzo Aug 05 '21 at 02:09
1

They do the same thing. However, there are few differences

  • package-lock.json is ignored by npm when publishing packages while npm-shrinkwrap.json is not. It is generally not advised to publish modules with npm-shrinkwrap.json
  • when both are in the root directory, npm-shrinkwrap.json is used.
Mike Dimmick
  • 9,662
  • 2
  • 23
  • 48
faboulaws
  • 1,909
  • 16
  • 16
  • If the **package-lock.json** is not for publishing then what is the objective of this file? Whether it is for just to keep it in the local machine to occupy the space on the hard drive? –  Sep 16 '18 at 16:37
  • 1
    It is quite useful actually. It is advised to commit it in your git project. When working in a team with multiple developers this can really help with the tracking history of dependencies. Also when using docker you might want to lock project dependencies. – faboulaws Sep 16 '18 at 16:42
  • Ok, so, the **package-lock.json** is for GitHub or something similar only to commit it onto your git project, but it is not for the publishing into the npm? But please can you say why the npm documentation says that it cannot be published and later it says that it will be ignored if found in place other than the top-level package. Please, can you clear this? –  Sep 16 '18 at 16:45