0

I had the exact same question as Do I need both package-lock.json and package.json? (tldr; "what's the difference between package.json and package-lock.json?") and found some really great answers in there. However it leaves me with a few other very similar-related questions that I don't see answered elsewhere.

For instance, what if package.json and package-lock.json conflict with one another? Say package.json says to use some-lib-2.* (any 2.x version of some-lib) but package-lock.json is configured to use some-lib-1.18.4? Is there an error? Is preference given to either file as the "source of dependency truth"?

I like the idea of one file to manage my specific dependencies, and so I feel like I'm leaning towards:

  1. Not specifying libraries or version in package.json at all; and
  2. Using package-lock.json to specify the exact versions of each module/library my project uses

Is this possible to do? If so are there any special configurations that I need to make? Do I track both files in version control, or is there ever any reasons why I would not want to track these in git/VCS?

jonrsharpe
  • 115,751
  • 26
  • 228
  • 437
hotmeatballsoup
  • 385
  • 6
  • 58
  • 136
  • 1
    It _is_ the source of truth. If they get out of sync, you'll get errors. Version control both, and they'll be updated for you by npm install/uninstall/update/etc. – jonrsharpe Apr 18 '22 at 14:12
  • Thanks @jonrsharpe, is there a way to omit dependency/version management from `package.json` altogether, so I'm _only_ defining dependency versions in `package-lock.json`? As an outsider looking in, I don't immediately see the advantage to (or use case for) defining dependency versions in 2 different files, but maybe I'm not seeing the forest through the trees here. – hotmeatballsoup Apr 18 '22 at 14:14
  • 2
    The package file (amongst other things) summarises the acceptable ranges of the direct dependencies. The lock file lists the specific versions of direct and transitive dependencies. You _don't_ define them in two files, one you shouldn't be editing at all. – jonrsharpe Apr 18 '22 at 14:18
  • 1
    Ahhh can you confirm if my understanding here is correct: **(1)** you manage the `package.json` file by editing it directly and you tell it the acceptable ranges of direct dependencies, like you said. **(2)** Node/NPM decides _which specific version it is going to use_ (within those acceptable ranges) and writes them to `package-lock.json` for you. So you should edit `package.json` manually and never manually edit `package-lock.json` because its generated + maintained automatically for you. Is this understanding all correct? Or am I off slightly? Thanks again! – hotmeatballsoup Apr 18 '22 at 14:22

1 Answers1

2
  1. You use the the command line (npm install [optional args]) to update both files
  2. NPM -- and your command line invocation -- decide what the acceptable ranges of dependency versions there are for module and define those ranges in package.json. It then picks a version within that range -- uses it for buildtime/runtime -- and writes that exact version in package-lock.json
  3. So you want to place both files in version control so you have repeatable builds and any developers checking out your project will immediately be able to build the project with the same versions of the same dependencies
  4. And the only time you edit package.json directly is if you don't want to allow a range of versions for a particular dependency and want to cherry pick the exact version to use. You make the edit, you save, you run npm install [options] and package-lock.json will be updated to use that version as well

For what it's worth, this is terribly confusing and advocates the anti-pattern of not managing your dependencies. It allows developers to think its OK to just pull in the latest version of a given dependency, even if that version changes from build to build. That leads to bug creep in your application, non-repeatable builds and all sorts of headaches.

I would strongly advocate for always specifying the exact version you want for all your direct dependencies: no more ranges or wildcards please.

VLAZ
  • 26,331
  • 9
  • 49
  • 67
hotmeatballsoup
  • 385
  • 6
  • 58
  • 136