DEV Community

Discussion on: But what the hell is package-lock.json?

Collapse
 
andrewmackrodt profile image
Andrew Mackrodt

This is how it works, author is incorrect.

Collapse
 
saurabhdaware profile image
Saurabh Daware 🌻

Hi, You should checkout this reply : dev.to/saurabhdaware/comment/eoo4
and this comment from github: github.com/npm/npm/issues/17979#is...

So yes

  • if you change package.json, package-lock.json will be updated
  • But if you do not change anything manually then it will ignore the ^ from package.json and will install the version that is mentioned in package-lock.json.

Thank you for reading and do correct me if I am wrong.

Thread Thread
 
andrewmackrodt profile image
Andrew Mackrodt • Edited

Hi Saurabh, my post was made on mobile so please excuse it's lack of detail. I've experienced package-lock.json updating itself in both development and CI environments and subsequently builds have failed when sub-dependencies have introduced bugs or breaking changes despite following semantic versioning. npm ci faithfully installs the correct package versions in the CI environment.

As to why this happens, I'm not sure. I agree that what you've said should work yet in practice I've seen it to not always be the case.

The npm team seem to acknowledge this, here's a quote from their blog:

npm ci promises the most benefit to large teams. Giving developers the ability to "sign off" on a package lock promotes more efficient collaboration across large teams, and the ability to install exactly what is in a lockfile has the potential to save tens if not hundreds of developer hours a month, freeing teams up to spend more time building and shipping amazing things.

blog.npmjs.org/post/171556855892/i...

It seems hundreds of developers on SO are also confused about npm's lock behaviour: stackoverflow.com/questions/450220....

Thread Thread
 
saurabhdaware profile image
Saurabh Daware 🌻

Yeah even ive ran into problems where 100s of lines were updated in my package-lock.json so i think it is because a lot combinations are possible like i mentioned above plus if you've seen dependabot commits, they update package-lock to bumb versions but along with that they also change the integrity hash so it doesn't end up creating conflicts.

also a lot of time we pull from other branches so if any of them updated your dependent package they may end up updating the tree in package-lock

so yeah a lot of permutations and combinations to think about :(