So you just got…
npm notice created a lockfile as package-lock.json. You should commit this file.
What is it, and what to do?
Should I commit it?
In case you are wondering, yes, you should commit
package-lock.json. Yes, commit as in add it to your version control and push. Don’t be afraid.
What is it, though? At the docs you get:
package-lock.jsonis automatically generated for any operations where npm modifies either the
package.json. It describes the exact tree that was generated, such that subsequent installs are able to generate identical trees, regardless of intermediate dependency updates.
But I too didn’t find that so enlightening.
Really, for &#^$#&’s sake, in human terms, what is
Ok, ok. Calm down. Let me take a stab at it.
In a few words, every time you use
npm install, NPM will read your
package.json file and download your dependencies (and your dependencies’ dependencies) to your
Ideally, if you didn’t change your
package.json file, anywhere you run
npm install you should get the exact same content at
But for several reasons (different NPM versions at each machine, server changes, version changes – e.g. the
~1.2.3, etc.), that is not always the case.
package-lock.json comes in. It is basically a (reproducible) record of what files where actually downloaded.
So, now, everytime you run
npm install, if
package-lock.json is present, you (or your fellow devs, or the CI server, or your boss’ cousin) will get the exact same dependency tree downloaded to
Simple, isn’t it?