npm5 was recently released with Node 8 and you may have noticed that there’s a new file to play around with!
npm5 introduces a lockfile, package-lock.json
that keeps a record of every dependency your project uses and what version you have currently installed. Before npm5, this was behavior you could only get from npm shrinkwrap
.
You can read the docs on these here:
npm package locks
package-lock.json
npm shrinkwrap
npm-shrinkwrap.json
Whether you’ve used npm shrinkwrap
before and are wondering how package-lock.json
is different, or are new to the concept of lockfiles in general, take a look at the drawings below to get more familiar with when and how to use both of these features.
package-lock.json
is automatically generated when you run npm install
and is not publishable to the registry. This is because respecting a lock file when installing libraries would make using libraries together very difficult.
You can and should push your package-lock.json
to version control. It will help you and your fellow developers keep track of the last good dep configuration you had. Run npm up
to update your reps and if something breaks, package-lock.json
helps you roll back.
If you are distributing an app via npm (such as a CLI app), use npm shrinkwrap
. Shrinkwrap files are publishable to the registry.
package-lock.json
and npm-shrinkwrap.json
are both commit-able to version control. Unless you need to publish a lock file to the registry, using both is redundant.
If you still have questions, don’t hesitate to reach out to our awesome support team via email at
or twitter
@npm_support
.