What is the package-lock for?json?
Good time of day. I read the documentation for NPM, read the forums, but still do not fully understand the meaning of this file.
Here is what is described in the npm documentation:
This file is intended to be committed to the source repositories and is intended for various purposes:
1) Describes a single representation of the dependency tree so that comrades on command, deploying the project is guaranteed installed the same dependencies.
2) Allow users to "time travel" to previous node_modules states without committing to the directory itself.
3) To facilitate greater visibility of changes in the tree by using readable control source texts.
4) And optimize the installation process by allowing npm to skip duplicate installed packages.
The question is immediately on 1 point, because you have me package.json and package-lock.json are not in git ignore! They're afraid.
And as it is written in the same document, when we do npm i, the package manager installs the dependencies that are described in the package.json file.
And after downloading the next library, we go inside it and install its dependencies (and so recursively).
At this stage, package-lock.json simply displays information about which internal dependencies of the main libraries we have downloaded.
How does it help "guaranteed to have the same dependencies installed" ?
And this everything completely follows from point 3.
Well, I agree with point 4, in fact, if node_modules already has such a package (with the same version and hash), then it will not be installed. BUT, again, this information can be viewed not by package-lock.json, but in the dependencies of the main package, because almost every lib has an internal package.json. That is, we do not need an intermediate file.
Do I understand everything correctly? Please correct it!
3 answers
In addition to dependencies, package.json is also used to define project properties, description, author and license information, and scripts, while is package-lock.json is used exclusively for blocking dependencies on a specific version number.
The presence of a package-lock.json is not required in the project. Also, to disable the automatic creation of this file, you can write.npmrc package-lock=false
When you're in the package.you write json jQuery: "1.3.*" it substitutes the largest number for the place of the asterisk at the moment, for example 1.3.7, you uploaded the project to github, some person downloaded it to his computer a year later, clicked npm i and he had 1.3.9 downloaded from the Internet because the developers have already filed a new version, and you have different versions. it seems that the dates are the same, but a friend has a bug, and you don't have a bug. And the solution is to add node_modules to the git, which is an extremely wild solution. according to this, the simplified a snapshot of the node_modules folder with all the SPECIFIC versions installed there, this is the package-lock file.
You just don't push node_modules into the git, but this one file, and when Peter writes npm i, he will have exactly the same versions as you will be downloaded from the Internet.
Your cap)
Plus, when you do some operations through npm, if this file is there, the node does not need to run through node_modules and scan what versions are installed there, it just package-lock as a base data uses
Fixing package versions is its purpose.
However, using the npm install command does not guarantee the installation of the same package versions that were fixed in package-lock.json.
Depending on what is written in package.json before the package version (I'm talking about the symbols ~ and ^), the packages will still be updated, and package-lock.json is modified by npm itself in accordance with the installed updates.
This behavior is highly undesirable during automatic project builds and when installing packages (too automatic during CI scripts) for running tests.
To do this, there is a command npm ci.
According to the documentation , before installing packages using this command, the project folder node_modules will be deleted.