1PACKAGE-LOCK.JSON(5)                                      PACKAGE-LOCK.JSON(5)
2
3
4

NAME

6       package-lock.json - A manifestation of the manifest
7
8   Description
9       package-lock.json  is  automatically generated for any operations where
10       npm  modifies  either  the  node_modules  tree,  or  package.json.   It
11       describes  the  exact  tree  that  was  generated, such that subsequent
12       installs are able to generate identical trees, regardless of intermedi‐
13       ate dependency updates.
14
15       This  file  is  intended  to be committed into source repositories, and
16       serves various purposes:
17
18       · Describe a single representation of a dependency tree such that team‐
19         mates,  deployments,  and  continuous  integration  are guaranteed to
20         install exactly the same dependencies.
21
22       · Provide a facility for users to "time-travel" to previous  states  of
23         node_modules without having to commit the directory itself.
24
25       · To  facilitate  greater  visibility  of tree changes through readable
26         source control diffs.
27
28       · And optimize  the  installation  process  by  allowing  npm  to  skip
29         repeated metadata resolutions for previously-installed packages.
30
31
32       One  key detail about package-lock.json is that it cannot be published,
33       and it will be ignored if found in any place other  than  the  toplevel
34       package. It shares a format with npm help npm-shrinkwrap.json, which is
35       essentially the same file, but allows publication. This is  not  recom‐
36       mended  unless  deploying a CLI tool or otherwise using the publication
37       process for producing production packages.
38
39       If both package-lock.json and npm-shrinkwrap.json are  present  in  the
40       root of a package, package-lock.json will be completely ignored.
41
42   File Format
43   name
44       The  name  of  the  package this is a package-lock for. This must match
45       what's in package.json.
46
47   version
48       The version of the package this is a package-lock for. This must  match
49       what's in package.json.
50
51   lockfileVersion
52       An integer version, starting at 1 with the version number of this docu‐
53       ment whose semantics were used when generating this package-lock.json.
54
55   packageIntegrity
56       This           is           a           subresource           integrity
57       https://w3c.github.io/webappsec/specs/subresourceintegrity/  value cre‐
58       ated from the package.json. No preprocessing of the package.json should
59       be  done. Subresource integrity strings can be produced by modules like
60       ssri https://www.npmjs.com/package/ssri.
61
62   preserveSymlinks
63       Indicates that the install  was  done  with  the  environment  variable
64       NODE_PRESERVE_SYMLINKS  enabled.  The  installer should insist that the
65       value of this property match that environment variable.
66
67   dependencies
68       A mapping of package name to  dependency  object.   Dependency  objects
69       have the following properties:
70
71   version
72       This is a specifier that uniquely identifies this package and should be
73       usable in fetching a new copy of it.
74
75       · bundled dependencies: Regardless of source, this is a version  number
76         that is purely for informational purposes.
77
78       · registry sources: This is a version number. (eg, 1.2.3)
79
80       · git  sources:  This is a git specifier with resolved committish. (eg,
81         git+https://exam
82         ple.com/foo/bar#115311855adb0789a0466714ed48a1499ffea97e)
83
84       · http   tarball  sources:  This  is  the  URL  of  the  tarball.  (eg,
85         https://example.com/example-1.3.0.tgz)
86
87       · local tarball sources: This is the  file  URL  of  the  tarball.  (eg
88         file:///opt/storage/example-1.3.0.tgz)
89
90       · local   link  sources:  This  is  the  file  URL  of  the  link.  (eg
91         file:libs/our-module)
92
93
94   integrity
95       This       is       a       Standard       Subresource        Integrity
96       https://w3c.github.io/webappsec/specs/subresourceintegrity/   for  this
97       resource.
98
99       · For bundled dependencies this is not included, regardless of source.
100
101       · For registry sources, this is the integrity that  the  registry  pro‐
102         vided, or if one wasn't provided the SHA1 in shasum.
103
104       · For git sources this is the specific commit hash we cloned from.
105
106       · For  remote tarball sources this is an integrity based on a SHA512 of
107         the file.
108
109       · For local tarball sources: This is an integrity field  based  on  the
110         SHA512 of the file.
111
112
113   resolved
114       · For bundled dependencies this is not included, regardless of source.
115
116       · For registry sources this is path of the tarball relative to the reg‐
117         istry URL.  If the tarball URL isn't on the same server as  the  reg‐
118         istry URL then this is a complete URL.
119
120
121   bundled
122       If  true,  this  is the bundled dependency and will be installed by the
123       parent module.  When installing, this module will be extracted from the
124       parent  module  during  the  extract phase, not installed as a separate
125       dependency.
126
127   dev
128       If true then this dependency is either a development dependency ONLY of
129       the  top level module or a transitive dependency of one.  This is false
130       for dependencies that are both a  development  dependency  of  the  top
131       level  and  a  transitive dependency of a non-development dependency of
132       the top level.
133
134   optional
135       If true then this dependency is either an optional dependency  ONLY  of
136       the  top level module or a transitive dependency of one.  This is false
137       for dependencies that are both an optional dependency of the top  level
138       and  a  transitive  dependency  of a non-optional dependency of the top
139       level.
140
141       All optional dependencies should be included even if they're  uninstal‐
142       lable on the current platform.
143
144   requires
145       This  is a mapping of module name to version.  This is a list of every‐
146       thing this module requires, regardless of where it will  be  installed.
147       The  version should match via normal matching rules a dependency either
148       in our dependencies or in a level higher than us.
149
150   dependencies
151       The dependencies of this dependency, exactly as at the top level.
152
153   See also
154       · npm help shrinkwrap
155
156       · npm help shrinkwrap.json
157
158       · npm help package-locks
159
160       · npm help package.json
161
162       · npm help install
163
164
165
166
167                                  March 2020              PACKAGE-LOCK.JSON(5)
Impressum