package.json vs. package-lock.json

Photo by Caspar Camille Rubin on Unsplash

What is package.json

This file will give information to npm for it to identify the project as well as handle the project’s dependencies.

It lists the packages your project depends on, specifies versions of a package to use, so it makes your build reproducible, and therefore easier to share with other developers.

Note package.json is used not only for dependencies management, its purpose is to give detail information about the project such as author, license, repository, scripts, …etc.

What is package-lock.json

The dependencies we list in package.json is semantic versioning, means it doesn’t have to be a strict certain version, instead we can just specify the acceptable version ranges.

However, if we want every team member set up a development environment with exactly identical dependencies, here is when package-lock.json comes into play.

package-lock.json describes the exact tree that was generated, so that subsequent installs are able to generate identical trees, regardless of intermediate dependency updates.

That’s why this file is intended to be committed into source repositories.

Do we need both ?

In short, the package.json is used for more than dependencies management. The package-lock.json is solely used to lock dependencies to a specific version number.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store