1

I'm trying to reconcile the purpose of the ^ character in package.json, and how it's affected by package-lock.json. Let's say for example, I run npm install johnny-dependency. Now I have a dependency listed in package.json:

"johnny-dependency": "^1.2.0"

On repo instantiation and the first npm install, package-lock.json will be generated which specifies that this package is using 1.2.0, and it will also specify which versions of johnny-dependency's dependencies should be used.

If package-lock.json essentially locks down the version, what is the purpose of the ^ or ~ semvr specifiers in package.json? In this answer to the question Why does “npm install” rewrite package-lock.json?, it is said that package-lock.json no longer locks the root level dependencies. If so, why is it still a best practice to commit package-lock.json to source control?

I've never given much thought to this before, surely I'm missing something obvious?

jonrsharpe
  • 115,751
  • 26
  • 228
  • 437
Seth Lutske
  • 9,154
  • 5
  • 29
  • 78
  • That semver range information is also used by e.g. https://docs.npmjs.com/cli/v6/commands/npm-outdated/, https://docs.npmjs.com/cli/v6/commands/npm-outdated/ – jonrsharpe May 25 '21 at 19:58
  • Ok...that's good to know I guess...but the same thing could be achieved without the semvr ranges (for example with [npm-check-updates](https://www.npmjs.com/package/npm-check-updates)). My issue is that there's an implication that if you run npm install on a package listed as `^1.x.x`, you'll get the most up to date minor version of that package, but the presence of package-lock seems to negate that. That is the source of my confusion – Seth Lutske May 25 '21 at 20:03

0 Answers0