Reputation: 5933
does package-lock.json prevent updates?
My app is node v4, I wrote it back on v4 and have never needed to update it (if it ain't broke...). That is, until one of the dependencies removed v4 support in a minor version update.
I read that there is this idea of package-lock.json in 5.x+
Will the package-lock.json concept prevent the scenario of minor versions breaking my app when I have to reinstall from source?
I basically want to verify a node_modules is working as expected, and every time I run npm install I get the same node_modules I did originally, even if a dependency five deep decides to update their package I don't want it.
Upvotes: 5
Views: 2962
Answers (2)
Reputation: 1859
As you already said in the comments, the answer is Yes.
And for your dependencies dependencies, running npm install will install the versions specified in their respective package.json (they don't have package-lock.json as it is not published, but they could have a shrinkwrap) unless you run a npm update.
In short terms, you would only run in a scenario you don't want to if you run npm update, but npm install won't give you troubles.
By the way, you can easily replicate that behaviour by copying your package.json to 2 environment where you have the 2 versions of node that you need.
Upvotes: 2
Reputation: 1681
package-lock.json is automatically generated for any operations where npm modifies either the node_modules tree, or package.json. It describes the exact tree that was generated, such that subsequent installs are able to generate identical trees, regardless of intermediate dependency updates.
This file is intended to be committed into source repositories, and serves various purposes:
Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.
Provide a facility for users to "time-travel" to previous states of node_modules without having to commit the directory itself.
To facilitate greater visibility of tree changes through readable source control diffs.
And optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages.
One key detail about package-lock.json is that it cannot be published, and it will be ignored if found in any place other than the toplevel package. It shares a format with npm-shrinkwrap.json(5), which is essentially the same file, but allows publication. This is not recommended unless deploying a CLI tool or otherwise using the publication process for producing production packages.
If both package-lock.json and npm-shrinkwrap.json are present in the root of a package, package-lock.json will be completely ignored.
Upvotes: 0
Related Questions
- What is the role of the package-lock.json?
- npm force package-lock to update a sub-dependency package
- confusion about npm install and npm update
- Explain package-lock.json and if mine will cause a problem
- How to update version of a package in package-lock.json and/or package.json using npm to latest version?
- package-lock.json is rewritten after npm install
- How do I update a single dependency in package-lock.json, without any side effects?
- Npm; is package-lock.json redundant if package.json only specifies exact versions?
- Bumping package-lock.json and packge.lock at the same time?
- why package-lock.json is not created