package-lock.json file

The package-lock.json file is automatically generated when the node software package is installed. Understand its meaning

In version 5, npmintroducedpackage-lock.jsonfile.

what is that? You may knowpackage.jsonfile, This situation is more common and has existed for a longer time.

The goal of this file is to track the exact version of each package installed so that even if the package is updated by its maintainer, the product can be copied 100% in the same way.

This solves a very specific problempackage.jsonUp in the air. In package.json, you can useSemferNotation, for example:

  • If you write~0.13.0, You just want to update the patch version:0.13.1Yes, but0.14.0It's not.
  • If you write^0.13.0, You want to update the patch and minor version:0.13.1,0.14.0and many more.
  • If you write0.13.0, The exact version that is always used

You don’t have to submit your node_modules folder to Git, the folder is usually very large, and when you try to usenpm installCommand, if you specify~The patch version of the grammar and software package has been released and will be installed soon. identical^And minor version.

If you specify the exact version, for example0.13.0In the example, you are not affected by this problem.

It may be you or another person trying to initialize a project on the other side of the world by runningnpm install.

Therefore, your original project and the newly initialized project are actually different. Even if patches or minor releases should not introduce major changes, we all know that bugs can (and therefore, they will) sneak into it.

Thispackage-lock.jsonSet the currently installed version of each packageOn the stone, withnpmThose exact versions will be used at runtimenpm install.

This concept is not new, and other programming language package managers (such as Composer in PHP) have used similar systems for many years.

Thispackage-lock.jsonThis file needs to be submitted to your Git repository, so if the project is public or you have collaborators, or if you use Git as a deployment source, it can be obtained by others.

The dependency version will be inpackage-lock.jsonRuntime filesnpm update.

one example

This is an example structurepackage-lock.jsonFile obtained at runtimenpm install cowsayIn an empty folder:

  "requires": true,
  "lockfileVersion": 1,
  "dependencies": {
    "ansi-regex": {
      "version": "3.0.0",
      "resolved": "
      "integrity": "sha1-7QMXwyIGT3lGbAKWa922Bas32Zg="
    "cowsay": {
      "version": "1.3.1",
      "resolved": ""
      "integrity": "sha512-3PVFe6FePVtPj1HTeLin9v8WyLl+VmM1l1H/5P+BTTDkM
      "requires": {
        "get-stdin": "^5.0.1",
        "optimist": "~0.6.1",
        "string-width": "~2.1.1",
        "strip-eof": "^1.0.0"
    "get-stdin": {
      "version": "5.0.1",
      "resolved": "
      "integrity": "sha1-Ei4WFZHiH/TFJTAwVpPyDmOTo5g="
    "is-fullwidth-code-point": {
      "version": "2.0.0",
      "resolved": "
      "integrity": "sha1-o7MKXE8ZkYMWeqq5O+764937ZU8="
    "minimist": {
      "version": "0.0.10",
      "resolved": "
      "integrity": "sha1-3j+YVD2/lggr5IrRoMfNqDYwHc8="
    "optimist": {
      "version": "0.6.1",
      "resolved": "",
      "integrity": "sha1-2j6nRob6IaGaERwybpDrFaAZZoY=",
  <span style="color:#f92672">"requires"</span>: {
    <span style="color:#f92672">"minimist"</span>: <span style="color:#e6db74">"~0.0.1"</span>,
    <span style="color:#f92672">"wordwrap"</span>: <span style="color:#e6db74">"~0.0.2"</span>
<span style="color:#f92672">"string-width"</span>: {
  <span style="color:#f92672">"version"</span>: <span style="color:#e6db74">"2.1.1"</span>,
  <span style="color:#f92672">"resolved"</span>: <span style="color:#e6db74">""</span>,
  <span style="color:#f92672">"integrity"</span>: <span style="color:#e6db74">"sha512-nOqH59deCq9SRHlxq1Aw85Jnt4w6KvLKqWVik6oA9ZklXLNIOlqg4F2yrT1MVaTjAqvVwdfeZ7w7aCvJD7ugkw=="</span>,
  <span style="color:#f92672">"requires"</span>: {
    <span style="color:#f92672">"is-fullwidth-code-point"</span>: <span style="color:#e6db74">"^2.0.0"</span>,
    <span style="color:#f92672">"strip-ansi"</span>: <span style="color:#e6db74">"^4.0.0"</span>
<span style="color:#f92672">"strip-ansi"</span>: {
  <span style="color:#f92672">"version"</span>: <span style="color:#e6db74">"4.0.0"</span>,
  <span style="color:#f92672">"resolved"</span>: <span style="color:#e6db74">""</span>,
  <span style="color:#f92672">"integrity"</span>: <span style="color:#e6db74">"sha1-qEeQIusaw2iocTibY1JixQXuNo8="</span>,
  <span style="color:#f92672">"requires"</span>: {
    <span style="color:#f92672">"ansi-regex"</span>: <span style="color:#e6db74">"^3.0.0"</span>
<span style="color:#f92672">"strip-eof"</span>: {
  <span style="color:#f92672">"version"</span>: <span style="color:#e6db74">"1.0.0"</span>,
  <span style="color:#f92672">"resolved"</span>: <span style="color:#e6db74">""</span>,
  <span style="color:#f92672">"integrity"</span>: <span style="color:#e6db74">"sha1-u0P/VZim6wXYm1n80SnJgzE2Br8="</span>
<span style="color:#f92672">"wordwrap"</span>: {
  <span style="color:#f92672">"version"</span>: <span style="color:#e6db74">"0.0.3"</span>,
  <span style="color:#f92672">"resolved"</span>: <span style="color:#e6db74">""</span>,
  <span style="color:#f92672">"integrity"</span>: <span style="color:#e6db74">"sha1-o9XabNXAvAAI03I0u68b7WMFkQc="</span>

} }

We installedcowsay,depending on

  • get-stdin
  • optimist
  • string-width
  • strip-eof

In turn, these packages also need other packages, such as we fromrequiresSome attributes:

  • ansi-regex
  • is-fullwidth-code-point
  • minimist
  • wordwrap
  • strip-eof

They are added to the file in alphabetical order, each with aversionField, oneresolvedA field pointing to the location of the package, and aintegrityWe can use the string to verify the package.

Download mine for freeNode.js manual

More node tutorials: