DEV Community


Discussion on: When not to use package-lock.json

ankurloriya profile image
Ankur Loriya

I think package-lock.json for security purpose.
When a user hit npm install package-lock.json created commit the package-lock.json changes to version control. They must be insecure network.

Once the package-lock.json generated from true (secure) network and your other machine network might under attack and hacker might change npm registry DNS/Route/IP in that case npm will check the integrity with npm install.