What is the difference between npm-shrinkwrap.json and package-lock.json?

Question

With the release of npm@5, it will now write a package-lock.json unless a npm-shrinkwrap.json already exists.

I installed npm@5 globally via:

npm install npm@5 -g

And now, if a npm-shrinkwrap.json is found during:

npm install

a warning will be printed:

npm WARN read-shrinkwrap This version of npm
is compatible with lockfileVersion@1,
but npm-shrinkwrap.json was generated for lockfileVersion@0.
I'll try to do my best with it!

So my take-away is that I should replace the shrinkwrap with the package-lock.json.

Yet why is there a new format for it? What can the package-lock.json do that the npm-shrinkwrap.json cannot?

score 227 · Accepted Answer · edited Mar 30 '21 at 17:03

227

The files have exactly the same content, but there are a handful of differences in how npm handles them, most of which are noted on the docs pages for package-lock.json and npm-shrinkwrap.json:

package-lock.json is never published to npm, whereas npm-shrinkwrap is by default
package-lock.json files that are not in the top-level package are ignored, but shrinkwrap files belonging to dependencies are respected
npm-shrinkwrap.json is backwards-compatible with npm versions 2, 3, and 4, whereas package-lock.json is only recognized by npm 5+

You can convert an existing package-lock.json to an npm-shrinkwrap.json by running npm shrinkwrap.

Thus:

If you are not publishing your package to npm, the choice between these two files is of little consequence. You may wish to use package-lock.json because it is the default and its name is clearer to npm beginners; alternatively, you may wish to use npm-shrinkwrap.json for backwards compatibility with npm 2-4 if it is difficult for you to ensure everyone on your development team is on npm 5+. (Note that npm 5 was released on 25th May 2017; backwards compatibility will become less and less important the further we get from that date, as most people will eventually upgrade.)
If you are publishing your package to npm, you have a choice between:
1. using a package-lock.json to record exactly which versions of dependencies you installed, but allowing people installing your package to use any version of the dependencies that is compatible with the version ranges dictated by your package.json, or
2. using an npm-shrinkwrap.json to guarantee that everyone who installs your package gets exactly the same version of all dependencies
The official view described in the docs is that option 1 should be used for libraries (presumably in order to reduce the amount of package duplication caused when lots of a package's dependencies all depend on slightly different versions of the same secondary dependency), but that option 2 might be reasonable for executables that are going to be installed globally.

edited Mar 30 '21 at 17:03

cincodenada

2,877
25
35

answered Sep 09 '17 at 16:03

Mark Amery

143,130
81
406
459

3

+1 - can you clarify your second bullet point though? What's the distinction between that behaviour and having an npm-shrinkwrap? – Rhys Sep 11 '17 at 19:13
4

@Rhys the second bullet won't matter in practice unless you're doing something weird. Basically, it just says that if a library somehow *did* publish a `package-lock.json` (which isn't possible), then if you were to install that library as a dependency of some other package, the library's `package-lock.json` would be ignored by NPM. However, if a library publishes an `npm-shrinkwrap.json`, and you install the library as a dependency, then you will *also* install as secondary dependencies the *exact versions* of all dependencies specified in the library's `npm-shrinkwrap.json`. – Mark Amery Sep 11 '17 at 19:16
Can you please add that [`npm ci`](https://docs.npmjs.com/cli/ci.html) exists to insure the installation of the `package-lock.json` as read-only. (`npm install` mutates the `package-lock.json` causing confusion and potential bugs and does not take advantage of the `package-lock.json` per se.) – k0pernikus Nov 14 '19 at 12:28
1

@k0pernikus I don't think there's any difference between how `npm ci` handles `npm-shrinkwrap.json` and `package-lock.json` - what's its relevance to this question about the difference between the two files? Also, after reading around: I think that *"`npm install` ... does not take advantage of the `package-lock.json`"* has been false since npm 5.4 - I believe `npm install` now respects your `package-lock` *unless* it's outright incompatible with your `package.json`, in which case the latter will take precedence. (But I've been out of the JavaScript world for a bit - am I missing something?) – Mark Amery Nov 14 '19 at 12:43
Mark how can I prevent npm from publishing shrinkwrap? You mentioned by default it does, which is what I am experiencing. And I don't want the shrinkwrap to be included during "npm publish" step. Thanks – Antoni4 Oct 13 '20 at 14:19
@Mark Amery unfortunately npm install still install the latest version available of a dependency even if the version in package.json are "solid", I mean don't have ^ or ~(that as long I know should indicate to look for the version up if possible), I referring to semantic versioning https://docs.npmjs.com/about-semantic-versioning – Carmine Tambascia Aug 30 '22 at 19:49
@CarmineTambascia No, that isn't true. You can test it easily: create a folder, run `npm init` in it, add `"dependencies": {"lodash": "1.0.0"}` to `package.json`, run `npm install`, and look in the generated `package-lock.json`. You will get Lodash 1.0.0 - not the latest version. – Mark Amery Oct 16 '22 at 18:18
@Mark Amery if there is a specific version of course. But if the version is with semantic versioning then depending on the versioning is been installed the latest or also if that version is been updated in term of api. Indeed otherwise wouldn't been introduced. But somehow I wasn't correct, its try to install also latest version of peer dependecies indeed one can be now avoid that with legacy-peer-deps – Carmine Tambascia Oct 16 '22 at 19:42
@CarmineTambascia I'm confused - now you say that *"of course"* if you specify *"a specific version"* you get it, but earlier (in your August 30th comment) you were saying you *"still install the latest version ... even if"* you *"don't have ^ or ~"*, i.e. if you don't use *"semantic versioning"*. If you weren't saying you get the latest version even with a dependency declaration like `"lodash": "1.0.0"`, what were you saying? – Mark Amery Oct 16 '22 at 20:48

score 30 · Answer 2 · edited Jun 02 '17 at 08:17

30

Explanation from NPM Developer:

The idea is definitely for package-lock.json to be the Latest and Greatest in shrinkwrap technology, and npm-shrinkwrap.json to be reserved for those precious few folks out there who care very much about their libraries having an exact node_modules -- and for people who want CI using npm@>=2 to install a particular tree without having to bump its npm version.

The new lockfile ("package-lock.json") shares basically all of the same code, the exact same format as npm-shrinkwrap (you can rename them between one another!). It's also something the community seems to understand: "it has a lockfile" seems to click so much faster with people. Finally, having a new file meant that we could have relatively low-risk backwards-compat with shrinkwrap without having to do weird things like allow-publication mentioned in the parent post.

edited Jun 02 '17 at 08:17

k0pernikus

60,309
67
216
347

answered Jun 02 '17 at 08:10

SeriousM

3,374
28
33

23

I still am not clear on the difference. If `npm-shrinkwrap` is for exact node_modules....I assume `package-lock.json` is locking less than exact? And if so, what is not locking that `npm-shrinkwrap` is locking? – dman Jul 11 '17 at 15:05
1

you got it wrong @dman. package-lock is the new version of npm-shrinkwrap. package-lock is opt-out (so you have to remove the feature because it's default enabled), npm-shrinkwrap is opt-in (so you have to enable it because it's not included my default). the reason why they introduced package-lock is that 1. user now have a saver way to deal with dependencies because it's enabled by default and 2. the name implies what it is in oposite to "shrinkwrap". npm-shrinkwrap had some special dependency-behavior settings what package-lock doesn't have now. npm-shrinkwrap is now obsolete. – SeriousM Jul 12 '17 at 12:41
10

this is incorrect. By saying that package-lock is the new version of npm-shrinkwrap, you are saying it is a replacement. npm-shrinkwrap is not deprecated and has differences with package-lock.json. Furthermore, package-lock.json [has a bug](https://github.com/npm/npm/issues/17091) while npm-shrinkwrap does not... thus emphasizing more so they are not the same code. – dman Jul 12 '17 at 13:08
Also package-lock.json is intrusive. So it can easily cause scm conflicts if you call "npm i" while shrinkwrap should be explicitly generated and will not cause conflicts on ci servers. Yes, I can be wrong here. – norekhov Mar 29 '18 at 06:57
@dman *"package-lock.json has a bug while npm-shrinkwrap does not"* - no it doesn't. There's no indication of that in the issue you've linked to; it doesn't even mention `npm-shrinkwrap`. As I note in my answer, converting a `package-lock.json` to an `npm-shrinkwrap.json` is literally just done by renaming the file; they *are* "the same code". – Mark Amery Dec 17 '18 at 17:22
after so many reading, I had to have exact same dependecies of a project pass to another one, then I went for npm ci as I have read. Unfortunately I ended-up with an empty node_modules, but not a new one. Of course running npm i,with package.json with non depdencies have ~ or ^ thus indicating not to look for update if existing(but I may be wrong on this) a new modified package-lock.json. – Carmine Tambascia Aug 30 '22 at 19:57
Of course this wasn't what I want as I have some legacy dependecies thatbfor the sake of development I want to keep. The only solution I found was simply to remove again node_module and copy manully the package-lock.json from the other project and run npm install. Someone could tell me if this at the moment achievable via command line and what the step to take? – Carmine Tambascia Aug 30 '22 at 19:57

Cody Brumfield · Answer 3 · 2017-06-02T15:21:33.797

I think the idea was to have --save and shrinkwrap happen by default but avoid any potential issues with a shrinkwrap happening where it wasn't wanted. So, they just gave it a new file name to avoid any conflicts. Someone from npm explained it more thoroughly here:

https://www.reddit.com/r/javascript/comments/6dgnnq/npm_v500_released_save_by_default_lockfile_better/di3mjuk/

The relevant quote:

npm publishes most files in your source directory by default, and people have been publishing shrinkwraps for years. We didn't want to break compatibility. With --save and shrinkwrap by default, there was a great risk of it accidentally making it in and propagating through the registry, and basically render our ability to update deps and dedupe... null.

So we chose a new name. And we chose a new name kind of all of a sudden. The new lockfile shares basically all of the same code, the exact same format

Leponzo · Answer 4 · 2021-08-05T02:33:21.037

7

package-lock.json versions are guaranteed with only npm ci (since npm install overwrites package-lock.json if there is a conflict with package.json).

npm-shrinkwrap.json versions are guaranteed with both npm ci and npm install.

edited Aug 05 '21 at 02:33

answered Aug 05 '21 at 02:21

Leponzo

624
1
8
20

What is the difference between npm-shrinkwrap.json and package-lock.json?

4 Answers4

Linked

Related