DEV Community

Tether
Tether

Posted on

Need of package.lock.json ?and npm clean install

You might have come across package.json and package.lock.json while working with node package modules or in yarn as yarn.lock in your React or node application; but why do we need them ?

Background

Basically package.json acts as a manifest file for all the multiple packages to be installed, it keep version tree of the dependencies including child dependency.It consist of dependency with version semantics, scripts and browserlist.

Package json
Package lock json

package.lock.json constains list of exact version of all packages used in your project, it is needed for locking the dependency of installed version.


What does npm install does underhood

npm install -s MODULE_NAME
Enter fullscreen mode Exit fullscreen mode
  • It will first search the module by name.
  • Install the package modules and dependency.
  • update or create package.lock.json and added the corresponding package name and version in package.json

So if someone now clones your project and runs npm install command, the node package manager will ensure that it downloads the same file as it did previously by referring the version in lock.json and package.json but it will be comparing both and if they do match it will follow lock file, but what if they don't ? then npm will take manifest of package.json as authorized and update the package.lock.json

You might also need to know about package.json semantics versioning:

Generally npm package version look like 1.0.1 wherein first number from right is the patch version, then second number is for minor version and last is major version.

  • Patch release consist of bugs resolved to a feature or backward compatibility bug fixes and the patch version semantic: ~1.0.x

  • Minor release is when a new feature is added and it should have backward compatibility and the minor version semantic : ^1.x or ^1.1.3

  • Major release is when feature that can break backward compatibility and major version semantic : * or x.


So now lets come back to npm install updating lock.json, some developers have tendency to changing dependencies by hand or let assume a case in your project wherein you update a package dependency and only commit the package.json and not the lock.json and in mean while some deveoper clones your repository.....

Entry of npm clean install

npm clean-install
Enter fullscreen mode Exit fullscreen mode

npm ci bypasses the packages of package.json to install modules from refering lockfile. This ensures reproducible builds—you are getting exactly what you expect on every install.

Previously, developers who wanted to ensure that node_modules/ and package.json stayed in sync would have to archive their node_modules folder. npm ci replaces this process with a single command.

What steps does it take

  • If node_modules fodler exist, it will delete and install a fresh one

  • If lock.json doesn't exist or doesn't match the version with package.json, it will give an error and stop.

Npm CI in some cases is faster and it improves readibility
check this github

Conclusion:

  1. Next time you clone a repository use npm clean install to avoid any version compatibility issue.
  2. Never try to update package.json by hand.

Top comments (0)