Discussion on: Explain package-lock.json like I am five

[Tyler V. (he/him)]

I don't think I'm able to answer everything, but here's at least some points:

• The ^ in ^3.0.0 indicates that the package needs to be at least version 3.0.0. So having version 2.9.9 installed on the machine would require an update to version 3.0.0 or newer

• The purpose of package-lock.json is to outline the list of version requirements for each package. This is useful for 2 reasons:

  • If a new feature is released in fancyTool.js v. 1.1.0 that you implement, you wouldn't want users to install v. 1.0.0. and wonder why it isn't working.
  • If the syntax changes dramatically from v. 1.0.0 to v. 2.0.0, you want to be able to require that v. 1.0.0 be installed instead of v. 2.0.0 (which would in turn break your program).

[Ankit Utekar]

Then why to have both package-lock.json and those symbols in package.json ? Purpose of both of these things is same right ? How do they work together ?

[Tyler V. (he/him)]

The symbols are part of the package-lock.json structure. Each package independently can be assigned either a specific version or a minimum version that is needed. i.e.)

  "cookie": "0.3.1",
  "cookie-signature": "1.0.6",
  "debug": "2.6.8",
  "depd": "^1.1.1",

In this example, cookie, cookie-signature, and debug will install their specific versions and depd needs at least 1.1.1, but would also accept something like 2.0.0 or 1.2.1