Discussion on: Explain package-lock.json like I am five

[Ankit Utekar]

Thank you for your response.
I'm still kinda confused.

1. Can I have only package.json without any symbol specified(i.e. exact version) so that same package version is installed everywhere ?
2. Say I have specified awesome-package: ^ 1.2.3 in package.json and accordingly it's dependency tree is added in package-lock.json, will it install awesome-package-1.3.0 when available ? A) If yes, will it update package-lock.json as well ? If so then we are not using exact same version everywhere even though we are using package-lock.json, right ? B) If no, then what's the point of specifying those symbols if updates are not getting installed ?

[rhymes]

Can I have only package.json without any symbol specified(i.e. exact version) so that same package version is installed everywhere ?

To have the same package AND the same version installed everywhere you need to specify the version, for example

{"dependencies": {"hello": "1.2.3"}}

In theory this guarantees that your hello package is installed with the same version everywhere. Unfortunately it doesn't guarantee that any other library that hello uses as a dependency will be installed with the same version. For this, you need the lock file

A) If yes, will it update package-lock.json as well

Yes but only when you add a package. If the version you allow points to 1.3.0 the lock file will be updated when you run npm install.

If so then we are not using exact same version everywhere even though we are using package-lock.json,

Yes, you are. When you install (and not add) a package, the package.json is totally bypassed. What npm does is read the package-lock.json and install the exact versions specified there

[Ankit Utekar]

Oh.. Thanks for the clarification 😊