Everything You Wanted To Know About package-lock.json But Were Too Afraid To Ask

You can also read this story on my personal Gatsby blog.

Introduction

So you’ve updated Node Package Manager (npm) to v5.x.x, and everything seems to be going fine. But wait, what’s this? A new file was created automatically. Package-lock.json. If you open it, it looks sort of like the dependencies in package.json, but more verbose. You decide to ignore it and go along your way developing your project. Eventually, you run into problems with a dependency. It can’t be found or the wrong version seems to be installed. Most people just end up deleting the package-lock.json and running `npm install`. So why even have it? What is it supposed to do? What does it actually do?

Summary

• If you’re using npm ^5.x.x, by default a package-lock.json will be generated for you
• You should use package-lock to ensure a consistent install and compatible dependencies
• You SHOULD commit your package-lock to source control
• As of npm ^5.1.x, package.json is now able to trump package-lock.json, so you should experience much less of a headache
• No more deleting that package-lock just to run `npm install` and regenerate it
• Use semver if your app offers an API, and adhere to the rules of semver.

Background

Semantic Versioning