Do I need both package-lock.json and package.json?
NpmNpm Installpackage.jsonPackage lock.jsonNpm Problem Overview
After updating my NPM to the latest version (from 3.X to 5.2.0) and running npm install
on an existing project, I get an auto-created package-lock.json
file.
I can tell package-lock.json
gives me an exact dependency tree as opposed to package.json
.
From that info alone, it seems like package.json
is redundant and not needed anymore.
Are both of them necessary for NPM to work?
Is it safe or possible to use only the package-lock.json
file?
The docs on package-lock.json (doc1, doc2) doesn't mention anything about that.
Edit:
After some more thinking about it, I came to the conclusion that if someone wants to use your project with an older version of NPM (before 5.x) it would still install all of the dependencies, but with less accurate versions (patch versions)
Npm Solutions
Solution 1 - Npm
Do you need both package-lock.json
and package.json
? No.
Do you need the package.json
? Yes.
Can you have a project with only the package-lock.json
? No.
The package.json
is used for more than dependencies - like defining project properties, description, author & license information, scripts, etc. The package-lock.json
is solely used to lock dependencies to a specific version number.
Solution 2 - Npm
package-lock.json
: records the exact version of each installed package which allows you to re-install them. Future installs will be able to build an identical dependency tree.
package.json
: records the minimum version you app needs. If you update the versions of a particular package, the change is not going to be reflected here.
Solution 3 - Npm
If your question is if lock file should be committed to your source control - it should. It will be ignored under certain circumstance.
I found it bloating pull requests and commit history, so if you see it change, do a separate commit for it.
Solution 4 - Npm
Solution 5 - Npm
A more accurate and detailed explanation of the reason behind keeping package-lock.json can be found here