If you're a JavaScript Developer, you've probably heard of npm (node package manger). It's a tool that helps us quickly include third-party libraries in our project.
But do you understand two important file: package.json and package-lock.json? Do you really know all the package version you are installing?
The Potential Issues With package.json
Inside the package.json, we specify which version of packages to install. However, using special version notation like "^0.2.3" (which installs a version greater than or equal to 0.2.3 but less than 0.3.0) can lead to different node_modules using the same package.json file due to timing differences.
This increase the risk.
How package-lock.json File Helps Lock Dependencies
When you make changes to package.json and run npm install, a file called package-lock.json is automatically generated.
Uploading package-lock.json to your source repository ensures other developers that clone your code will install the same package dependencies as you used during development.
This consistency is crucial during the continuous integration (CI) process, as dependencies won't vary due to different environments.
Other purposes of package-lock.json include:
- You can check package-lock.json to understand the previous state of node_modules.
- Make it easier to observe and detect changes when modifying or upgrading package versions.
- Allow npm to skip redundant metadata resolutions for faster package installation.
Do You Understand package-lock.json?
Do you know what each section represents ? Here are the meanings and examples of common items :
name: The project name of the source repositories, matching the one in package.json.
version: The project version of the source repositories, consistent with package.json (you can update version numbers in package.json).
lockfileVersion: The format of package-lock.json changes with npm versions. You can determine which npm version created the file using lockfileVersion.
For npm v5 and v6, it's lockfileVersion: 1; for npm v7 and v8, it's lockfileVersion: 2 (backwards compatible with v1 lockfiles); and for npm v9, it's lockfileVersion: 3 (backwards compatible with npm v7).
packages: This section indicates the relationships between packages and related informations.
- The information for the root project (your source repository) is listed under an empty string key ("").
- Third-party packages are listed under this section based on their relative paths to the project folder.
Package descriptors contain the following information:
- version: The versions of these packages.
- resolved: The location from which these packages were resolved.
- integrity: A string (sha512 or sha1) used to mark the unpacked artifact.
- bin, license, engines, dependencies, optionalDependencies: Information that corresponds to the package.json of each package.
Top comments (0)