DEV Community

Discussion on: But what the hell is package-lock.json?

zkat profile image
Kat Marchán

Hi! I wrote npm ci and I'm also the one who added package-lock.json to NPM back in the day.

The story about package.json vs package-lock.json is tricky: npm install does not ignore package.json versions, nor does it ignore the package-lock.json. What it does is verify that the package.json and package-lock.json correspond to each other. That is, if the semver versions described in package.json fit with the locked versions in package-lock.json, npm install will use the latter completely, just like npm ci would.

Now, ff you change package.json such that the versions in package-lock.json are no longer valid, your npm install will be treated as if you'd done npm install some-pkg@x.y.z, where x.y.z is the new version in the package.json for some-package.

This was done intentionally because, after early feedback in npm@5, we realized that one of the ways people edited their dependencies was by editing package.json directly, and it became a bit of a usability nightmare to treat package-lock.json as canonical in those cases. It was a trade-off between two competing worlds, and the current behavior won out.

This is why npm ci was born: because the behavior for npm install was actually what people wanted, in practice (when they actually ran into the behavior), and npm ci had a nice ring to it anyway (it was eventually backronymed to clean-install for this reason).

Hope this helps! Nice article! 👍🏼

saurabhdaware profile image
Saurabh Daware 🌻

Thank you so much for this comment and yes it explained everything about the npm install behavior.

also thank you for reading this it's pretty cool to see the article reached the person who added package-lock 😭😭😭🌻🌻

robbyp profile image
robby • Edited

Hello Kat 👋

I found this article and this comment after so much searching, and both have been a great help to my understanding of npm. Thanks everyone!

There are still somethings I am not clear on.

1) Does npm install with a package-lock present, with semver satisfied between it (the lockfile; having exact versions) and the package.json (with semver), cause the package-lock file to be updated? (maybe there's a new satisfiable version out there in the registry) -- OR does it just go about installing the modules since package.json and package-lock are in sync?

If it does update even when satisfied, does npm install some-new-package also cause this update?

2) Is it currently acceptable to manually update package.json?

3) You mentioned multiple npm install behaviors, so which are you referring to here:

the behavior for npm install was actually what people wanted, in practice (when they actually ran into the behavior)

Thanks again! Any help is greatly appreciated!

Cheers 🤙