4

I installed eslint and noticed that it initialized a package-lock.json file and installed a bunch of modules in my node_module folder that I didn't request. I'm not sure why.

More importantly, theres discrepancies between my package.json and package-lock.json listed dependencies. My understanding was that package.json listed my installed dependencies with their semver and package-lock ensured that the exact version i was using is also used by anyone else installing the modules.

So my questions are:

  1. Why are there discrepancies ad shouldn't they have mirror listed dependecies?
  2. Which .json will install dependencies upon request and why?
  3. Why were these installed in the first place from eslint?

Thanks

nodumbqs
  • 91
  • 1
  • 6
  • "that I didn't request" - but the modules you installed probably requested them. – evolutionxbox Jul 29 '20 at 12:09
  • Does this answer your question? [Do I need both package-lock.json and package.json?](https://stackoverflow.com/questions/45052520/do-i-need-both-package-lock-json-and-package-json) – Mohammed Ismail Jul 29 '20 at 12:28

1 Answers1

4

The dependencies listed on package.json are the ones you install by using npm install.

When you run npm install eslint, npm will add a line in dependencies with eslint and the installed version.

"dependencies": {
    "eslint": "^7.5.0"
}

The package-lock.json file contains all dependencies - the ones you installed and the ones required by the other packages. For example, eslint has 36 Dependencies (check the Dependencies tab).

To install a specific version of eslint you should do npm install eslint@7.5.0. The package.json file will now reference that specific version:

"dependencies": {
    "eslint": "7.5.0"
}

Note that the ^ symbol is not showing. This symbol means compatible with version and follows semver. You can check other options here.

nip
  • 1,609
  • 10
  • 20
  • ok thanks that makes sense. so when i npm install, it will install all dependencies in my package.json and then all dependencies in my -lock file? so, in short, i can have version-adaptive dependencies in my package file and also version-locked dependencies in my -lock file, and both install upon npm install command? – nodumbqs Jul 29 '20 at 21:21
  • @nodumbqs 1. "so when i npm install, it will install all dependencies ?" yes, this is correct. 2. "and both install upon npm install command?" you can, but in normal circumstances this should be managed by the "main" package. – nip Jul 29 '20 at 23:27
  • just so im clear, what do you mean by "'main' package"? – nodumbqs Jul 30 '20 at 00:18
  • @nodumbqs the package you actually install using `npm install package` – nip Jul 30 '20 at 09:30