I'm the former tech lead/architect for the NPM CLI, now working for Microsoft on developer tooling. I do a lot of Rust open source stuff and some web dev.
Hi! I wrote npm ci and I'm also the one who added package-lock.json to NPM back in the day.
The story about package.json vs package-lock.json is tricky: npm install does not ignorepackage.json versions, nor does it ignore the package-lock.json. What it does is verify that the package.json and package-lock.json correspond to each other. That is, if the semver versions described in package.json fit with the locked versions in package-lock.json, npm install will use the latter completely, just like npm ci would.
Now, ff you changepackage.json such that the versions in package-lock.json are no longer valid, your npm install will be treated as if you'd done npm install some-pkg@x.y.z, where x.y.z is the new version in the package.json for some-package.
This was done intentionally because, after early feedback in npm@5, we realized that one of the ways people edited their dependencies was by editing package.json directly, and it became a bit of a usability nightmare to treat package-lock.json as canonical in those cases. It was a trade-off between two competing worlds, and the current behavior won out.
This is why npm ci was born: because the behavior for npm install was actually what people wanted, in practice (when they actually ran into the behavior), and npm ci had a nice ring to it anyway (it was eventually backronymed to clean-install for this reason).
I found this article and this comment after so much searching, and both have been a great help to my understanding of npm. Thanks everyone!
There are still somethings I am not clear on.
1) Does npm install with a package-lock present, with semver satisfied between it (the lockfile; having exact versions) and the package.json (with semver), cause the package-lock file to be updated? (maybe there's a new satisfiable version out there in the registry) -- OR does it just go about installing the modules since package.json and package-lock are in sync?
If it does update even when satisfied, does npm install some-new-package also cause this update?
2) Is it currently acceptable to manually update package.json?
3) You mentioned multiple npm install behaviors, so which are you referring to here:
the behavior for npm install was actually what people wanted, in practice (when they actually ran into the behavior)
Thanks again! Any help is greatly appreciated!
Cheers 🤙
Robby
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Hi! I wrote
npm ciand I'm also the one who addedpackage-lock.jsonto NPM back in the day.The story about package.json vs package-lock.json is tricky:
npm installdoes not ignorepackage.jsonversions, nor does it ignore thepackage-lock.json. What it does is verify that the package.json and package-lock.json correspond to each other. That is, if the semver versions described inpackage.jsonfit with the locked versions inpackage-lock.json,npm installwill use the latter completely, just likenpm ciwould.Now, ff you change
package.jsonsuch that the versions inpackage-lock.jsonare no longer valid, yournpm installwill be treated as if you'd donenpm install some-pkg@x.y.z, wherex.y.zis the new version in thepackage.jsonforsome-package.This was done intentionally because, after early feedback in
npm@5, we realized that one of the ways people edited their dependencies was by editingpackage.jsondirectly, and it became a bit of a usability nightmare to treatpackage-lock.jsonas canonical in those cases. It was a trade-off between two competing worlds, and the current behavior won out.This is why
npm ciwas born: because the behavior fornpm installwas actually what people wanted, in practice (when they actually ran into the behavior), andnpm cihad a nice ring to it anyway (it was eventually backronymed toclean-installfor this reason).Hope this helps! Nice article! 👍🏼
Thank you so much for this comment and yes it explained everything about the
npm installbehavior.also thank you for reading this it's pretty cool to see the article reached the person who added package-lock 😭😭😭🌻🌻
Hello Kat 👋
I found this article and this comment after so much searching, and both have been a great help to my understanding of npm. Thanks everyone!
There are still somethings I am not clear on.
1) Does
npm installwith a package-lock present, with semver satisfied between it (the lockfile; having exact versions) and the package.json (with semver), cause the package-lock file to be updated? (maybe there's a new satisfiable version out there in the registry) -- OR does it just go about installing the modules since package.json and package-lock are in sync?If it does update even when satisfied, does
npm install some-new-packagealso cause this update?2) Is it currently acceptable to manually update package.json?
3) You mentioned multiple
npm installbehaviors, so which are you referring to here:Thanks again! Any help is greatly appreciated!
Cheers 🤙
Robby