Is there a way to extract package.json from package-lock.json?

Question

I'm working on a project in which the package.json file is missing. The developer has pushed the package-lock.json file without the package.json file.

How can I create a clean package.json from the package-lock.json file in case it is at all possible?

You can't. package-lock.json doesn't contain all data from package.json. It contains dependency versions. Just ask a dev to submit package.json. — Estus Flask, Jan 13 '19 at 10:35
You could get the name and version and maybe figure out the dependencies and devDependencies, but that's not all that's in the package file - it likely also contains scripts and config for some of the packages you're using, for example. — jonrsharpe, Jan 13 '19 at 10:38
@estus no one has access to him. that's why I'm trying to reverse engineer it. — Alireza, Jan 13 '19 at 10:38

Estus Flask · Accepted Answer · 2019-01-13T11:43:34.923

It's not possible to generate full package.json from package-lock.json because the latter doesn't contain all necessary data. It contains only a list of dependencies with specific versions without original semvers. Production and development dependencies are mixed up along with nested dependencies.

Fresh package.json could be generated, then augmented with these dependencies with something like:

const fs = require('fs');
const packageLock = require('./package-lock.json');
const package = require('./package.json');

package.dependencies = Object.entries(packageLock.dependencies)
.reduce((deps, [dep, { version }]) => Object.assign(deps, { [dep]: version }), {});

fs.writeFileSync('./package-new.json', JSON.stringify(package, null, 2));

Nested dependencies could be filtered out by checking requires key, but this can affect project's own dependencies.

Brian Fegter · Answer 2 · 2021-01-27T15:10:53.577

6

Simply run npm init and it will pull all of the current dependencies from package-lock.json if you already have node_modules/ generated. If not, run npm ci to generate the node modules from the package-lock.json and then run npm init to generate the package.json file.

edited Jan 27 '21 at 15:10

answered Mar 22 '19 at 16:27

Brian Fegter

693
12
21

1

just creates a blank package file for me! – asulaiman Apr 05 '19 at 14:03
@asulaiman What version are you using? I just tested it again using `6.8.0` and it works dandy. – Brian Fegter Apr 05 '19 at 18:10
3

It doesn't actually generate `package.json` from `package-lock.json`, but from `node_modules`. If you don't have `node_modules`, you can run `npm ci` to generate `node_modules` from `package-lock.json` and then run `npm init` to generate a `package.json`. – Stevula Jan 27 '21 at 00:09
@Stevula Good explanation! I'm updating the answer. – Brian Fegter Jan 27 '21 at 15:09

score 1 · Answer 3 · answered Mar 18 '22 at 04:13

Slightly improved version of accepted answer script. Will pull locked versions out of the package-lock.

const fs = require('fs');
const packageLock = require('./package-lock.json');
const package = require('./package.json');

package.dependencies = Object.keys(package.dependencies)
.reduce((deps, dep) => Object.assign(deps, { [dep]: packageLock.dependencies[dep].version }), {});

package.devDependencies = Object.keys(package.devDependencies)
.reduce((deps, dep) => Object.assign(deps, { [dep]: packageLock.dependencies[dep].version }), {});

fs.writeFileSync('./package-new.json', JSON.stringify(package, null, 2));

Rubén Cougil · Answer 4 · 2023-05-25T10:38:53.557

Slightly improved version of improved version for newer versions of NPM:

const fs = require('fs');
const packageLock = require('./package-lock.json');
const package = require('./package.json');

const packageJsonNew = package;

// Refactor above code into a function
const updateDependencies = (dependencies, newDependencies) => {
    Object.keys(dependencies).forEach(dep => {
        try {
            console.log("✅ node_modules/" + dep + ": " + packageLock.packages["node_modules/" + dep].version);
            newDependencies[dep] = packageLock.packages["node_modules/" + dep].version;
        } catch (error) {
            console.log("❌ node_modules/" + dep + ": " + error);
        }
    });
}

updateDependencies(package.dependencies, packageJsonNew.dependencies);
updateDependencies(package.devDependencies, packageJsonNew.devDependencies);

fs.writeFileSync('./package-new.json', JSON.stringify(packageJsonNew, null, 2));

Is there a way to extract package.json from package-lock.json?

4 Answers4

Linked