package.json vs. package-lock.json

Adela Chao
2 min readJan 22, 2021
Photo by Caspar Camille Rubin on Unsplash

What is package.json

package.json is a file holds various metadata relevant to the project. It is usually located at the root directory of a Node.js project.

This file will give information to npm for it to identify the project as well as handle the project’s dependencies.

It lists the packages your project depends on, specifies versions of a package to use, so it makes your build reproducible, and therefore easier to share with other developers.

Note package.json is used not only for dependencies management, its purpose is to give detail information about the project such as author, license, repository, scripts, …etc.

What is package-lock.json

package-lock.json is automatically generated for any operations where npm modifies either the node_modules tree, or package.json.

The dependencies we list in package.json is semantic versioning, means it doesn’t have to be a strict certain version, instead we can just specify the acceptable version ranges.

However, if we want every team member set up a development environment with exactly identical dependencies, here is when package-lock.json comes into play.

package-lock.json describes the exact tree that was generated, so that subsequent installs are able to generate identical trees, regardless of intermediate dependency updates.

That’s why this file is intended to be committed into source repositories.

Do we need both ?

We will definitely need package.json , but we may have a project withoutpackage-lock.json.

In short, the package.json is used for more than dependencies management. The package-lock.json is solely used to lock dependencies to a specific version number.