274

After updating my NPM to the latest version (from 3.X to 5.2.0) and running npm install on an existing project, I get an auto-created package-lock.json file.

I can tell package-lock.json gives me an exact dependency tree as opposed to package.json.

From that info alone, it seems like package.json is redundant and not needed anymore.

Are both of them necessary for NPM to work?
Is it safe or possible to use only the package-lock.json file?

The docs on package-lock.json (doc1, doc2) doesn't mention anything about that.

Edit:

After some more thinking about it, I came to the conclusion that if someone wants to use your project with an older version of NPM (before 5.x) it would still install all of the dependencies, but with less accurate versions (patch versions)

Omri Luzon
  • 3,975
  • 6
  • 20
  • 29
  • 3
    [link](https://stackoverflow.com/questions/44297803/package-lock-json-role) – Lakshmipriya Mukundan Jul 19 '17 at 05:22
  • @Omri unless you do it the java way and tool versions are determined by your project. ie. if I go back 1 year in my repo, it uses an older version of gradle so I never worry about that. – Dean Hiller Feb 13 '22 at 22:40
  • Most people do not do what I recommend which is why npm probably had to keep both where in java, gradle wrapper is setup to do exactly that so they can move from one file to the other and have no duplication for backward compatibility. – Dean Hiller Feb 13 '22 at 22:41

3 Answers3

258

Do you need both package-lock.json and package.json? No.

Do you need the package.json? Yes.

Can you have a project with only the package-lock.json? No.

The package.json is used for more than dependencies - like defining project properties, description, author & license information, scripts, etc. The package-lock.json is solely used to lock dependencies to a specific version number.

mastef
  • 2,787
  • 1
  • 6
  • 16
  • 4
    instead of **npm install** use **npm ci** to install dependencies according to `package-lock.js` - refer to https://docs.npmjs.com/cli/v8/commands/npm-ci – Alex Nov 25 '21 at 14:57
93

package-lock.json: records the exact version of each installed package which allows you to re-install them. Future installs will be able to build an identical dependency tree.

package.json: records the minimum version you app needs. If you update the versions of a particular package, the change is not going to be reflected here.

Narendar Reddy M
  • 1,499
  • 1
  • 11
  • 18
  • 2
    If the above is true, and `package.json` records the minimum version needed by the app and package-lock.json records the exact version of each installed package, then I'm having a strange situation where a module is set at version 0.112.1 in package.json and 0.110.0 in package-lock.json... – Jean-François Beauchamp Jan 29 '20 at 15:41
12

If your question is if lock file should be committed to your source control - it should. It will be ignored under certain circumstance.

I found it bloating pull requests and commit history, so if you see it change, do a separate commit for it.

Stanley Kirdey
  • 602
  • 5
  • 20
  • 1
    No, I wasn't asking about commits to source control. Just if NPM needs both of them **at the same time** to work. `package-lock.json` seems like a more verbose version of `package.json`, so is it safe or possible to use only the lock file. – Omri Luzon Jul 23 '17 at 10:31
  • I see, I've left package.json in my projects, mainly to have a place for npm scripts. – Stanley Kirdey Jul 23 '17 at 22:37
  • 1
    There is now a [separate question](https://stackoverflow.com/q/46164194) on whether to put `package-lock.json` under version control. – Adrian W Jun 28 '18 at 15:45