The package.json file is a configuration file that stores important information about your Node.js project. It is created by running the npm init command.
If you take a closer look at the package.json, you can see that it has human-readable and functional metadata about the project.
After initializing the project, when you install a package, then NPM will generate the node_modules folder and package-lock.json file. You might wonder why package-lock.json is generated if you already have a package.json file.
Let's understand why package-lock.json file is needed with the help of an example. Suppose you have installed lodash package in your project, the version at that time was 4.16.2. The package.json file has made an entry of lodash in the dependencies section. The version which is saved in the file is ^4.16.2. The caret (^) symbol means any version greater than or equal to 4.16.2 is valid.
Until you check your project, new updates of lodash have been released, and now the current version is 4.17.21. When you check out a fresh copy of this project, you find that version of the installed lodash is different from the one you used initially. In this situation, you will find yourself perplexed. The reason for the difference is that NPM refers to package.json to check which version of lodash to install. Inside the package.json file, it found ^4.16.2, so it fetched the latest minor version of lodash, 4.17.21, and installed it.
In this example, the package.json file looks like this:
{
"name": "notes-app",
"version": "1.0.0",
"description": "",
"main": "app.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "Mohit Natani",
"license": "ISC",
"dependencies": {
"lodash": "^4.17.21",
"validator": "^13.7.0"
}
}
To mitigate this problem, the package-lock.json file is generated so that the exact copy of the node_modules folder can be reproduced. In simple terms, the package-lock.json file keeps track of the exact version of installed packages.
The package-lock.json file looks like this:
{
"name": "notes-app",
"version": "1.0.0",
"lockfileVersion": 1,
"requires": true,
"dependencies": {
"lodash": {
"version": "4.17.21",
"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
"integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg=="
},
"validator": {
"version": "13.7.0",
"resolved": "https://registry.npmjs.org/validator/-/validator-13.7.0.tgz",
"integrity": "sha512-nYXQLCBkpJ8X6ltALua9dRrZDHVYxjJ1wgskNt1lH9fzGjs3tgojGSCBjmEPwkWS1y29+DrizMTW19Pr9uB2nw=="
}
}
}
The following table explains the difference between package.json and package-lock.json:
| package.json | package-lock.json |
|---|---|
| The package.json file has the metadata of the project. | The package-lock.json file stores the exact version of dependencies. |
| The project's basic information, such as package name, version, description, author, dependencies, etc., are present in package.json. | Dependencies and their locked versions are there in the package-lock.json file. |
The npm init command generates the package.json file. |
The package-lock.json file is generated when you install a package to your project. |
Note: To learn more about package.json and package-lock.json, visit the following tutorials:
