Package.json vs Package-lock.json
Hello, I have a small question. I know that a
package.json is a file that contain metadata about a project, such as the project's name, entry point, scripts, dependencies etc while a package-lock.json is important so that when we npm install, we get the same dependency tree as our project.
My question is, if in our package.json file, we already have the version of our dependencies, then why need another separate json file?
(small aside :c, if I need to git push the files, do I need to git push both? )
I read that package-lock.json are used for our CI/CD environment, how is that?5 Replies
From what I know,
package.json is user-editable and is "suggestions" for what package versions to install. package-lcok.json, on the other hand, is only modified by npm (or yarn, etc) and has the specific versions of packages being used.
Basically don't touch package-lock.json and you'll be fine. Also, both need to be included in your git. Really, only .gitignore the node_modules folder and anything OS specific. For example, mac os likes to add a__MACOS folder for some stupid reason—as well as some other files I can't remember.
When in doubt, check out both Git's Node .gitignore file and Node's .gitignore file.Noted, ty !
i wouldnt say that package.json is "suggestions", but more like a coarse version set
you define your dependencies and some configurations
the package-lock.json is the exact version that you used to develop the code
it's rules for which packages are allowed to be selected
so I'd say suggestions works just fine
suggestions suggests that it's not a rule
but it is a rule
if your package.json has saying you need core-js version 3.3.2, then you cant use 3.3.1
but if it had saying ^3.3, then you can use any 3.3.x version
but this isnt a suggestion: you have to use a version