Reputation: 25
how exactly package.json update flag work (under the hoods)
I'm trying to understand how the package.json update process work. For example:
"dependencies": {
"express": "^4.16.4",
},
In this case I have Express with the minus flag ^ for only 4.X.X update. This is clear. But exactly how this update work? I mean, if I delete the node_module folders (and the package-lock.json) 1 weeks after the first installation (and a new Express version is released) which version I download? The 4.16.4 or (for example) the 4.17.0? I think the 4.17.0 but the package.json still remain with the 4.16.4 (text description) and the update is reported in the package-lock.json or something else? I've never seen the numbers change in the package.json.
I am very confused about this.
Sometimes, when I check some module from their folder I see a different version from the package.json. Why?
Upvotes: 0
Views: 252
Answers (1)
Reputation: 8151
The caret (^) will update to the most recent major version (the first number). ^4.16.4 will match any 4.x.x release including 4.17.x, but will hold off on updating to the version 5.0.0. release of Express since this is a major release with breaking change to the Express library.
As for your question: "If I were to delete the node_modules directory and the package-lock.json file a week after first installing Express and say a new Express version was release in that timeframe. Which version of Express would I download?
That depends if the newest version was a major, minor, or patch release. If the newest version was a minor or patch release: second or third number changes, then npm would install the latest 4.x.x. Express version. In your specific example scenario, yes it would install Express V4.17.0. You're also correct that the package.json will still list "express: "^4.16.4" as a necessary dependency to build your project. This is because of how the caret works, as explained earlier: grab the latest 4.x.x. version of Express. There is no need to update your Express listing within the package.json to the newest version since the carrot will take care of that for you. If you think about it, that is a really nice feature since the alternative would be to manually specify each new version release even if it is just a minor or patch release. And nobody has time for that... unless it's major release.
Furthermore, since the latest Express release wasn't a major release i.e. the first number of your Semver didn't change there are no "breaking changes" so it's usually safe to just grab the latest version. However, with that being said you can specify an exact version of any dependency if desired. As for the package-lock.json file, this file is kind of like a "snapshot" of your current configurations and build dependencies. So this file will update as you make changes that affect the building of your project: i.e either adding new dependencies or updating existing versions. This is because this file should be the "source of truth" for others in case they wanted to replicate building your project and potentially contributing to it.
Hopefully that helps!
Upvotes: 1
Related Questions
- How "npm update" command works?
- Why "npm update" will update the module(s) but not its SemVer in package.json?
- How do I update the entries in package.json automatically?
- How does NPM resolve & run scripts from package-json?
- Update package.json in several places after "npm i"
- What is the behaviour of "npm install" and "npm update" when changing package.json?
- Updating the 'version' field within package.json
- does package-lock.json prevent updates?
- How to do NPM Package Upgrade using Package.JSON?
- How can versioning in the package.json file of npm packages be understood?