-1

I know the main point of having .lock files is that they contains specific versions of packages (whereas package.json can specify ranges), so that when you install the same project on different machines, you can guarantee the same versions of packages.

What I Want To Know:

When is package.json used and when is package-lock.json used? For instance, if the bundler finds a package.json file but no package-lock.json file, does it use package.json and create package-lock.json, but use package-lock.json if it finds it? If that's the case, then am I correct that if you never re-generate package-lock.json, even when you run npm install the bundler won't install the latest version of packages allowed by semver ranges in package.json, and rather just install the specific versions from package-lock.json?

gkeenley
  • 6,088
  • 8
  • 54
  • 129

1 Answers1

1

npm install will always respect package-lock.

If you want to install latest versions of packages defined by your semver ranges in package.json, you have to remove current package-lock and then run npm install again.

You can update package manually in package.json or by running npm install package@version. It will update existing package-lock info for this specific package and its dependencies.

Miroslav Gajdos
  • 61
  • 3
  • Perfect, thank you! So just to clarify, if you run 'npm install' and there IS a package-lock.json present and it includes all packages referenced in package.json, will it just do nothing? Whereas if there's a package-lock.json, but maybe it's outdated and more packages have since been added to package.json, would it add only the packages NOT already included in package-lock.json? – gkeenley Aug 27 '19 at 17:05