What is the point of having same dependency tree ?
The lock file main purpose is repeatability of the installs.
If you have it you can be sure the packages listed there are the same that are going to be installed on your production application.
If you only have the package.json you will probably end up with slightly different versions for the same packages.
Should I commit package-lock.json every time I add new package ?
Yes
How is it related to symbols (e.g. ^ ) that are put before package versions in package.json ?
When you specify your dependencies you have multiple ways to specify a dependency. You can list the exact version (but it means you have to change both package.json and the lock file every time there's a new version) or you can use semver which allows you to be a little more elastic. ^1.2.3 for example means install all the 1.x.x future versions because the agreement says: "1 is the major version, 2 is the minor version, 3 is the patch version". So the developer likely won't release incompatible software until the version goes from 1.x.x to 2.x.x, and such version won't be intercepted by your initial rule ^1.2.3. If instead you only want bugfixes (the last digit) you can use ~1.2.3 which means install all the 1.2.x versions.
Thank you for your response.
I'm still kinda confused.
Can I have only package.json without any symbol specified(i.e. exact version) so that same package version is installed everywhere ?
Say I have specified awesome-package: ^ 1.2.3 in package.json and accordingly it's dependency tree is added in package-lock.json, will it install awesome-package-1.3.0 when available ?
A) If yes, will it update package-lock.json as well ? If so then we are not using exact same version everywhere even though we are using package-lock.json, right ?
B) If no, then what's the point of specifying those symbols if updates are not getting installed ?
Can I have only package.json without any symbol specified(i.e. exact version) so that same package version is installed everywhere ?
To have the same package AND the same version installed everywhere you need to specify the version, for example
{"dependencies":{"hello":"1.2.3"}}
In theory this guarantees that your hello package is installed with the same version everywhere. Unfortunately it doesn't guarantee that any other library that hello uses as a dependency will be installed with the same version. For this, you need the lock file
A) If yes, will it update package-lock.json as well
Yes but only when you add a package. If the version you allow points to 1.3.0 the lock file will be updated when you run npm install.
If so then we are not using exact same version everywhere even though we are using package-lock.json,
Yes, you are. When you install (and not add) a package, the package.json is totally bypassed. What npm does is read the package-lock.json and install the exact versions specified there
The lock file main purpose is repeatability of the installs.
If you have it you can be sure the packages listed there are the same that are going to be installed on your production application.
If you only have the
package.json
you will probably end up with slightly different versions for the same packages.Yes
When you specify your dependencies you have multiple ways to specify a dependency. You can list the exact version (but it means you have to change both package.json and the lock file every time there's a new version) or you can use semver which allows you to be a little more elastic.
^1.2.3
for example means install all the1.x.x
future versions because the agreement says: "1 is the major version, 2 is the minor version, 3 is the patch version". So the developer likely won't release incompatible software until the version goes from1.x.x
to2.x.x
, and such version won't be intercepted by your initial rule^1.2.3
. If instead you only want bugfixes (the last digit) you can use~1.2.3
which means install all the1.2.x
versions.Thank you for your response.
I'm still kinda confused.
To have the same package AND the same version installed everywhere you need to specify the version, for example
In theory this guarantees that your
hello
package is installed with the same version everywhere. Unfortunately it doesn't guarantee that any other library thathello
uses as a dependency will be installed with the same version. For this, you need the lock fileYes but only when you add a package. If the version you allow points to
1.3.0
the lock file will be updated when you runnpm install
.Yes, you are. When you install (and not add) a package, the
package.json
is totally bypassed. What npm does is read thepackage-lock.json
and install the exact versions specified thereOh.. Thanks for the clarification 😊