6

As in the title, but:

  • If it is possible, I don't want to hand-rewrite the version string manually in the package-lock.json,
  • I tried the following: How do I update each dependency in package.json to the latest version? but of course as expected, it only updated the package.json file,
  • I looked at the docs: package-lock.json docs and package-locks explanation docs,
  • as written in this question, the npm install behaviour was changed in npm v5.1.0, which if I'm correct, means that if I have npm version higher than 5.1.0, my app will (by default) always npm install from tha package.json, instead of the package-lock.json. However, I still have a dependency listed in my package-lock.json which has a vulnerability, and my github is screaming warning for it.

How to best solve this? If I'm installing from package.json anyway, is it a good practice to just delete the package-lock.json? Should I rather keep it updated? What to do if I want to use the lock instead?

I have never done anything like this before, so I'm not even sure that if I just rewrote a version string in the json it would work or break the npm install.

Is there a safe/professional way to change to package-lock.json, and keep it updated via npm?

Harshal Yeole
  • 4,812
  • 1
  • 21
  • 43
Dragonturtle
  • 274
  • 2
  • 5
  • 15

1 Answers1

4

If you want update version in package-lock.json,you can do it by updating the package using 

npm update <package_name>
  • '^' >> "Approximately equivalent to version"
  • '~' >> "Compatible with version"

Read more about '^' and '~' in your package.json >> Reference

As the package-lock specifies a version, location and integrity hash for every module and each of its dependencies, the install it creates will be the same, every single time for each user in shared project.

Everything You Wanted To Know About package-lock.json

Hope this will help you clear your thoughts.

Harshal Yeole
  • 4,812
  • 1
  • 21
  • 43