DEV Community


Posted on • Updated on


package-lock.json: What is it and why is it important? Why you need to commit this file?

package-lock.json is a JSON file that contains the dependencies for a Node project.

This file is important because it ensures that everyone working on the project has the same dependencies installed.
Why Does Npm Create A Package-Lock.json File And When?

  1. Create a package.json
  2. npm init
  3. In the image below, I am creating a default package.json under a folder called LearningPath
    I am creating a default package.json under a folder called LearningPath

  4. Open package.json and see what is this one: cat package.json
    image 2

  5. If you do ls you will only see package.json because there is no dependency install, now lets install some dependency like jest

  6. npm install jest , this will install latest version of jest as well as all dependiencies of jest

  7. Check list of file in the folder , by ls command, you will see one folder node_modules , package-lock.json and package.json
    third image

  8. All dependent packages get installed into "node_modules" subdirectory .

  9. package-lock.json: This file got created after installing packages and it have more json data then package.json, because it contains the data that actully specifying what is the exact versions of every package that got installed. There is very important reason for this file.

Importance of package-lock.json:

so as you will see that jest package is dependend on so many other packages like: jest-cli.
So when you install jest 23.6.0, it install jest-cli 23.0.0 and other packages, But few days later one of your coworker installs that same project and then they install, they actually get jest-cli 24.0.0 because a new version has been released in the time since you installed. Now there's difference between your two installation directories and that can sometimes you into trouble, And so the package-lock.json file's purpose is to specify exactly what versions were installed and you check that file into source control and everybody else uses that same package-lock.json.
npm install first check for package-lock.json to install the packages and if the package-lock.json is not present it checks in the package.json.
So when they do the typical flows of just running npm install. npm install will look at the package-lock.json file and install those specific versions and that makes sure that everybody on your team is running off the same exact versions of all packages , so you don't get any weird issues where something works for one person, but not for another.

image 3

Top comments (0)