Npm; is package-lock.json redundant if package.json only specifies exact versions?

Question

I struggle with npm's package.json and package-lock.json duality. I believe this question may provide insight regarding how these files relate to each other:

If we define a package.json file which only specifies exact versions for all dependencies, e.g.:

...
  "dependencies": {
    "dep1": "1.2.3",
    "dep2": "4.5.6"
  }
...

and never any ambiguous versions, such as:

...
  "dependencies": {
    "dep1": "^1.2.3",
    "dep2": "4.5.*"
  }
...

then would there ever be a reason to also maintain a package-lock.json file? (And if so, what is such a reason?)

Answer 1

The package-lock.json is not redundant even if you pin specific version of your dependency.

package-lock.json protects you from transitive dependencies - any dependency that is induced by the components that the program references directly.

It describes the exact tree that was generated, such that subsequent installs are able to generate identical trees, regardless of intermediate dependency updates

For example:

1. A → B
2. It is not the case that B → A
3. B → C

Then the dependency A → C (which follows from 1 and 3 by the axiom of transitivity) is a transitive dependency.

Note that B can use any non-exact version constraint on C, such as >= X. So it might be that when C dependency is resolved, each time it can be any version bigger than X. package-lock.json will guarantee that is not the case.