0

I understood that package-lock.json is useful to block the dependencies versions in order to

Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.

However if I run npm update, my dependencies are updated and package-lock.json versions too. So in the future, I can no longer reproduce the same original tree from package-lock.json. It doesn't serve its purpose, or am I losing something?

user33276346
  • 1,501
  • 1
  • 19
  • 38

1 Answers1

0

npm update updates the dependencies in package.json. during the update, the updated packages are being installed, thus package-lock.json is being updated.

the role of package-lock.json is to make sure that all transitive (or second-level dependencies and above) are locked. this governs that each invocation of npm install will result in installting the same packages.

Mr.
  • 9,429
  • 13
  • 58
  • 82
  • If the direct dependencies are changed, it is possible that their dependencies change and get updated as well, therefore both files change turning package-lock.json useless? – user33276346 Jun 05 '20 at 13:21
  • @user33276346: i don't understand your question. please clarify or state what is unclear for you in my answer – Mr. Jun 05 '20 at 13:24
  • You state that "the role of package-lock.json is to make sure that all transitive (or second-level dependencies and above) are locked". If the direct dependencies are changed, it is possible that their dependencies change and get updated as well, changing package-lock.json on the way. That is all transitive dependencies would change, resulting in package-lock.json not locking anything. – user33276346 Jun 05 '20 at 14:49
  • @user33276346: you are repeating what you asked rather than clarifying exactly what is not clear – Mr. Jun 06 '20 at 05:21
  • hahaha yes probably. Second try, this is how I currently think it works: when we run `npm update` the direct dependencies may change, if so, their dependencies may change as well. If both things happen, we have all the tree with modified versions, so the package-lock.json changes to reflect those modifications. If it changes it is no longer useful to have an "exact" "representation" of the original dependencies, it locks nothing. – user33276346 Jun 07 '20 at 02:18
  • @user33276346: `package-lock.json` does have "exact representation" since each time you will execute `npm install` you will get exactly the version that are represented in the file, and you need to distinguish between `npm update` and `npm install` – Mr. Jun 07 '20 at 04:37
  • Take for instance that I am the author of the app and I declare in the package.json that react has to be ^1.2.3 but I then I ran npm update and I get installed 1.2.4 (my package.json isn't updated but my package-lock.json is). So I upload both files and then my user 2 years later downloads the app and runs npm install, he will probably get 1.9.9 introducing some errors in the way (who knows), so how is it possible that package-lock.json locks anything if its changing like that? – user33276346 Jun 08 '20 at 22:59
  • so do not use the `^` when you specify the version. i think i addressed your questions and stackoverflow is not a discussion thread :) – Mr. Jun 09 '20 at 04:50