DEV Community 👩‍💻👨‍💻

Atakan Demircioğlu
Atakan Demircioğlu

Posted on

package.json & package.lock.json Explained


The first question is “Should I commit package-lock.json files?”.

Let us talk about this and then answer this question.

What is package.json?

Basically, we can say that is the heart of any node project. This file stores the metadata about the project and manages the project’s dependencies, version, scripts, etc.

What is package-lock.json?

When you install some packages this file is created automatically. It stores the exact versioned dependency tree and this guarantees the dependencies for other developers. Actually, it is a very important feature of npm but some people don’t understand this.

What about semantic versioning?

"dependencies": {
"my_dep": "^1.0.0",
"another_dep": "~2.2.0"
Enter fullscreen mode Exit fullscreen mode
  • Patch releases: 1.0 or 1.0.x or ~1.0.4
  • Minor releases: 1 or 1.x or ^1.0.4
  • Major releases: * or x

What’s the difference between tilde(~) and caret(^)?

In our first example, you can see we started with the ^ symbol and this means something different.

This caret(^) symbol basically says, the program can upgrade the patch releases and also minor releases but it can’t get the major releases.

If my_dep has new patch releases and minor releases when we run npm install it will automatically upgrade to the last version. But it will not upgrade to major releases.

tilde(~) means the program can upgrade for patch releases but it will not upgrade to minor or major releases.

What is the npm ci command?

When you use tilde(~) or a caret(^) in your dependencies, if you run the npm install command it will automatically override your package-lock.json. If you just want to use exact dependencies without upgrading them, you can easily run this command. And basically, that’s why you need to commit the package-lock.json file.


This article orginally published at medium.

Top comments (0)

🌚 Life is too short to browse without dark mode