The latest articles on DEV Community by Shivam (@shivaggw). https://dev.to/shivaggw https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3840969%2Fed0b2c39-d9f3-417e-91e5-eccaaa825baf.png https://dev.to/shivaggw en Shivam Tue, 21 Apr 2026 14:28:44 +0000 https://dev.to/shivaggw/how-to-compare-packagejson-files-a-nodejs-developers-guide-3oea https://dev.to/shivaggw/how-to-compare-packagejson-files-a-nodejs-developers-guide-3oea <p>You open a pull request to review a dependency update and the diff is a wall of text — 80 lines of package names and version numbers. Your teammate says "just bumped a few deps", but buried in there is a downgraded React version and two new packages nobody discussed.</p> <p>Manually spotting that by eye is error-prone. A proper side-by-side diff would have caught it in seconds.</p> <p>Here are four methods for comparing package.json files, when to use each, and a workflow that fits into real code reviews.</p> <h2> Why package.json Comparisons Go Wrong </h2> <p>The obvious ones are easy — a new package name sticks out. The dangerous ones are subtle:</p> <ul> <li>A minor version bump (<code>^18.2.0 → ^18.3.0</code>) that pulls in a breaking change via a transitive dependency</li> <li>A <code>peerDependency</code> conflict where two packages need different versions of the same library — causing silent runtime bugs that your test suite won't catch</li> <li>A package silently downgraded during a lockfile resolution</li> <li>A <code>devDependency</code> accidentally moved to <code>dependencies</code>, inflating your production bundle</li> </ul> <p>None of these are obvious from a quick glance at a git diff. They need a proper side-by-side comparison.</p> <h2> Method 1: Git Diff (Fastest) </h2> <p>The go-to for a quick local check before pushing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git diff main..feature-branch <span class="nt">--</span> package.json </code></pre> </div> <p>To include more context lines around each change:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git diff <span class="nt">-U10</span> main..feature-branch <span class="nt">--</span> package.json </code></pre> </div> <p>Always diff the lockfile at the same time — version constraints in package.json can hide transitive changes that only show up in <code>package-lock.json</code> or <code>yarn.lock</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git diff main..feature-branch <span class="nt">--</span> package.json package-lock.json </code></pre> </div> <p><strong>Best for:</strong> Quick checks before pushing. Not great for large files or sharing with teammates — the raw terminal output is hard to read.</p> <h2> Method 2: GitHub Pull Request Diff </h2> <p>If the PR is already open on GitHub:</p> <ol> <li>Go to the <strong>Files changed</strong> tab</li> <li>Scroll to <code>package.json</code> </li> <li>Click the split view icon (two columns) for side-by-side mode</li> </ol> <p>GitHub highlights added lines in green and removed lines in red. For large files, use the <strong>File filter</strong> dropdown at the top to jump straight to <code>package.json</code>.</p> <p><strong>Best for:</strong> Reviewing a PR before merging. Doesn't help when you want to compare arbitrary branches or files not in an open PR.</p> <h2> Method 3: Online Diff Tools (Most Visual) </h2> <p>For a detailed, shareable comparison — especially useful for large dependency updates or monorepo audits — paste both <code>package.json</code> files into an online diff tool like <a href="https://www.online-diff.com" rel="noopener noreferrer">Online Diff</a>.</p> <p>Here's what a typical comparison looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">package.json</span><span class="w"> </span><span class="err">on</span><span class="w"> </span><span class="err">main</span><span class="w"> </span><span class="err">branch</span><span class="w"> </span><span class="nl">"dependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"react"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^18.2.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"axios"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^1.4.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"lodash"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^4.17.21"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">package.json</span><span class="w"> </span><span class="err">on</span><span class="w"> </span><span class="err">feature</span><span class="w"> </span><span class="err">branch</span><span class="w"> </span><span class="nl">"dependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"react"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^18.3.0"</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">←</span><span class="w"> </span><span class="err">version</span><span class="w"> </span><span class="err">bumped</span><span class="w"> </span><span class="nl">"axios"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^1.4.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"lodash"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^4.17.21"</span><span class="p">,</span><span class="w"> </span><span class="nl">"zod"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^3.22.4"</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">←</span><span class="w"> </span><span class="err">new</span><span class="w"> </span><span class="err">package</span><span class="w"> </span><span class="err">added</span><span class="w"> </span><span class="nl">"date-fns"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^3.0.0"</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">←</span><span class="w"> </span><span class="err">new</span><span class="w"> </span><span class="err">package</span><span class="w"> </span><span class="err">added</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>With syntax highlighting and character-level diffs, version bumps and new packages are immediately obvious. You can share the diff URL with your team — useful when the reviewer can't run git locally.</p> <p><strong>Best for:</strong> Detailed dependency audits, sharing with colleagues, comparing files across different repos.</p> <h2> Method 4: npm diff (npm 8+) </h2> <p>npm 8 introduced a built-in diff command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm diff <span class="nt">--</span> package.json </code></pre> </div> <p>You can also compare specific versions of a package:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm diff <span class="nt">--diff</span><span class="o">=</span>lodash@4.17.20 <span class="nt">--diff</span><span class="o">=</span>lodash@4.17.21 </code></pre> </div> <p><strong>Best for:</strong> Comparing installed package versions when investigating what changed between two npm installs. Less useful for branch-to-branch comparisons.</p> <h2> The Security Angle: Why This Matters Beyond Code Review </h2> <p>Dependency diffs are one of the most underused parts of a security review. When a new package is added to your project, you're trusting that:</p> <ul> <li>The package author hasn't published malicious code</li> <li>The package's own dependencies are clean</li> <li>The version you're pinning doesn't have a known CVE</li> </ul> <p>A side-by-side diff makes the attack surface visible. When you see "5 new packages added", that's 5 supply chain vectors to evaluate — much easier to spot in a visual diff than buried in 120 lines of JSON.</p> <p>After reviewing the diff visually, always run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm audit </code></pre> </div> <p>This cross-references your dependencies against the npm advisory database. A version bump that looks harmless in the diff may resolve — or introduce — a known vulnerability.</p> <h2> Handling Monorepos </h2> <p>If you manage multiple <code>package.json</code> files across a monorepo (<code>apps/web/</code>, <code>apps/api/</code>, <code>packages/ui/</code>), script the extraction:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Extract package.json files from main branch</span> git show main:apps/web/package.json <span class="o">&gt;</span> web-main.json git show main:apps/api/package.json <span class="o">&gt;</span> api-main.json git show main:packages/ui/package.json <span class="o">&gt;</span> ui-main.json <span class="c"># Then paste each pair into an online diff tool</span> </code></pre> </div> <p>This is how version drift gets caught — where <code>apps/web</code> is on React 18.2 and <code>packages/ui</code> is still on React 17, causing subtle incompatibilities that only surface at runtime.</p> <p>For automated checks across all packages:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">for </span><span class="nb">dir </span><span class="k">in </span>packages/<span class="k">*</span>/<span class="p">;</span> <span class="k">do </span><span class="nb">echo</span> <span class="s2">"=== </span><span class="nv">$dir</span><span class="s2"> ==="</span> git diff main..feature <span class="nt">--</span> <span class="s2">"</span><span class="nv">$dir</span><span class="s2">/package.json"</span> <span class="k">done</span> </code></pre> </div> <h2> A Real Code Review Workflow </h2> <p>Here's how this fits into a real PR review process:</p> <ol> <li>Developer opens PR with dependency updates</li> <li>CI runs <code>npm audit</code> — flags any known vulnerabilities</li> <li>Reviewer extracts both <code>package.json</code> versions and pastes into a diff tool</li> <li>Reviewer sees at a glance: 2 new packages (zod, date-fns), 1 version bump (react <code>^18.2.0 → ^18.3.0</code>)</li> <li>Reviewer checks the CHANGELOG for new packages</li> <li>Reviewer confirms the React bump is a minor version (safe)</li> <li>Approve and merge</li> <li>After merge: <code>npm install</code>, CI tests pass</li> </ol> <p>This takes 3 minutes. Without the diff, it takes 10 minutes of squinting at JSON, and you're still not confident you caught everything.</p> <h2> Key Takeaways </h2> <ul> <li>Use <code>git diff</code> for fast local checks before pushing</li> <li>Use GitHub's PR view for reviewing changes before merging</li> <li>Use an online diff tool for detailed audits and sharing</li> <li>Always diff the lockfile alongside <code>package.json</code> </li> <li>Run <code>npm audit</code> after any dependency comparison</li> <li>In monorepos, script the extraction to catch version drift across all packages</li> </ul> <p>What's your workflow for reviewing dependency changes? Drop it in the comments — always curious how teams handle this at scale.</p> <p><em>Originally published at <a href="https://www.online-diff.com/blog/compare-package-json" rel="noopener noreferrer">online-diff.com/blog/compare-package-json</a></em></p> javascript node webdev npm