Do I need both package-lock.json and package.json?

npm npm-install package.json package-lock.json

After updating my NPM to the latest version (from 3.X to 5.2.0) and running npm install on an existing project, I get an auto-created package-lock.json file.

I can tell package-lock.json gives me an exact dependency tree as opposed to package.json.

From that info alone, it seems like package.json is redundant and not needed anymore.

Are both of them necessary for NPM to work?
Is it safe or possible to use only the package-lock.json file?

The docs on package-lock.json (doc1, doc2) doesn't mention anything about that.

Edit:

After some more thinking about it, I came to the conclusion that if someone wants to use your project with an older version of NPM (before 5.x) it would still install all of the dependencies, but with less accurate versions (patch versions)

link

@Omri unless you do it the java way and tool versions are determined by your project. ie. if I go back 1 year in my repo, it uses an older version of gradle so I never worry about that.

Most people do not do what I recommend which is why npm probably had to keep both where in java, gradle wrapper is setup to do exactly that so they can move from one file to the other and have no duplication for backward compatibility.

mastef

Do you need both package-lock.json and package.json? No.

Do you need the package.json? Yes.

Can you have a project with only the package-lock.json? No.

The package.json is used for more than dependencies - like defining project properties, description, author & license information, scripts, etc. The package-lock.json is solely used to lock dependencies to a specific version number.

instead of npm install use npm ci to install dependencies according to package-lock.js - refer to docs.npmjs.com/cli/v8/commands/npm-ci

Narendar Reddy M

package-lock.json: records the exact version of each installed package which allows you to re-install them. Future installs will be able to build an identical dependency tree.

package.json: records the minimum version you app needs. If you update the versions of a particular package, the change is not going to be reflected here.

If the above is true, and package.json records the minimum version needed by the app and package-lock.json records the exact version of each installed package, then I'm having a strange situation where a module is set at version 0.112.1 in package.json and 0.110.0 in package-lock.json...

rohit.khurmi095

 Package.json vs Package.lock.json

https://i.stack.imgur.com/pSzRD.png

https://i.stack.imgur.com/CnIxx.png

This is great information, but what's the source?

Stanley Kirdey

If your question is if lock file should be committed to your source control - it should. It will be ignored under certain circumstance.

I found it bloating pull requests and commit history, so if you see it change, do a separate commit for it.

No, I wasn't asking about commits to source control. Just if NPM needs both of them at the same time to work. package-lock.json seems like a more verbose version of package.json, so is it safe or possible to use only the lock file.

I see, I've left package.json in my projects, mainly to have a place for npm scripts.

There is now a separate question on whether to put package-lock.json under version control.

Vivek Goel

A more accurate and detailed explanation of the reason behind keeping package-lock.json can be found here

Do I need both package-lock.json and package.json?

Follow WeChat

Want to stay one step ahead of the latest teleworks?

相似问题

Platform

Support

Contact US