What is package-lock.json file in Node.js?

You might have noticed that when you install a package to your project, all of a sudden, a new file called package-lock.json file is generated. You might be wondering if there is a package.json file, then why package-lock.json, and what is the purpose of this file. This tutorial will answer all the questions related to package-lock.json that come into the mind of any Node.js developer.

In the Node.js project, there are top-level dependencies, which are called core dependencies. These top-level dependencies have their own dependencies, which are called sub-dependencies and these sub-dependencies have their own dependencies and so on. The relationship between dependencies and sub-dependencies is called a dependency tree. You can view the dependency tree of your project by running the npm list --all command.

The package-lock.json file keeps track of the entire dependency tree. It stores all the information that is required to reproduce the node_modules folder. In simple terms, the package-lock takes a snapshot of the complete files and directories present in the node_modules folder.

An example package-lock.json looks like this:

  "name": "notes-app",
  "version": "1.0.0",
  "lockfileVersion": 1,
  "requires": true,
  "dependencies": {
    "lodash": {
      "version": "4.17.21",
      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
      "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg=="
    "validator": {
      "version": "13.7.0",
      "resolved": "https://registry.npmjs.org/validator/-/validator-13.7.0.tgz",
      "integrity": "sha512-nYXQLCBkpJ8X6ltALua9dRrZDHVYxjJ1wgskNt1lH9fzGjs3tgojGSCBjmEPwkWS1y29+DrizMTW19Pr9uB2nw=="

When you run the npm install command without passing the package name, NPM looks for package-lock and installs the exact versions of all the dependencies mentioned within the package-lock file. If the package-lock.json file is not present, then NPM will refer to package.json to install packages.

Is package-lock.json needed?

Let's understand why there is a need for the package-lock.json file with the help of an example. Suppose you want to install a package to your Node.js project. Let's say the package name is demo. You run the npm install demo command, and NPM downloads all the files and dependencies of the demo package to the node_modules folder and updates the package.json file.

Let's assume that the demo package depends on another package, called sample. So, when you install the demo package, this sample package also gets installed. In the future, the developers of the sample package published an update that deprecates some functions.

Now, you have shared your code and package.json file with another developer in your organization. When that developer runs the npm install command, NPM will install all the project's dependencies and sub-dependencies. The demo package is installed like before, but the updated version of the sample package is installed this time. When the developer runs your project, he will find something broken. This situation will make him baffled because he has not changed anything. The package.json file is the same as before, and why is there an error.

To solve this issue, the package-lock.json file is introduced. If the package-lock.json file is present in your project, then you won't face dependencies-related issues. Actually, the package-lock file notes down the exact version of dependencies and sub-dependencies so that the next time you checkout a fresh copy of your project, the same dependency tree can be reproduced. That is why it is recommended that you commit the package-lock.json file to version control.

Note: You neither create nor manually update the package-lock.json file. It is mainly managed by npm commands like npm install, npm uninstall, npm update, and others. These commands update package-lock to reflect the new state of the node_modules folder.

Is it ok to delete package-lock.json?

No, it is not ok to delete the package-lock.json file. When you delete this file, then there is no way to keep track of the node_modules folder.

You never commit node_modules to version control and do not share it with others because it is too big. By using package-lock.json, you keep track of the state of the node_modules folder.

Further Reading

Recommended Posts