1PACKAGE-LOCK.JSON(5) PACKAGE-LOCK.JSON(5)
2
3
4
6 package-lock.json - A manifestation of the manifest
7
8 Description
9 package-lock.json is automatically generated for any operations where
10 npm modifies either the node_modules tree, or package.json. It de‐
11 scribes the exact tree that was generated, such that subsequent in‐
12 stalls are able to generate identical trees, regardless of intermediate
13 dependency updates.
14
15 This file is intended to be committed into source repositories, and
16 serves various purposes:
17
18 • Describe a single representation of a dependency tree such that team‐
19 mates, deployments, and continuous integration are guaranteed to in‐
20 stall exactly the same dependencies.
21
22 • Provide a facility for users to "time-travel" to previous states of
23 node_modules without having to commit the directory itself.
24
25 • Facilitate greater visibility of tree changes through readable source
26 control diffs.
27
28 • Optimize the installation process by allowing npm to skip repeated
29 metadata resolutions for previously-installed packages.
30
31 • As of npm v7, lockfiles include enough information to gain a complete
32 picture of the package tree, reducing the need to read package.json
33 files, and allowing for significant performance improvements.
34
35
36 package-lock.json vs npm-shrinkwrap.json
37 Both of these files have the same format, and perform similar functions
38 in the root of a project.
39
40 The difference is that package-lock.json cannot be published, and it
41 will be ignored if found in any place other than the root project.
42
43 In contrast, npm help npm-shrinkwrap.json allows publication, and de‐
44 fines the dependency tree from the point encountered. This is not rec‐
45 ommended unless deploying a CLI tool or otherwise using the publication
46 process for producing production packages.
47
48 If both package-lock.json and npm-shrinkwrap.json are present in the
49 root of a project, npm-shrinkwrap.json will take precedence and pack‐
50 age-lock.json will be ignored.
51
52 Hidden Lockfiles
53 In order to avoid processing the node_modules folder repeatedly, npm as
54 of v7 uses a "hidden" lockfile present in node_modules/.pack‐
55 age-lock.json. This contains information about the tree, and is used
56 in lieu of reading the entire node_modules hierarchy provided that the
57 following conditions are met:
58
59 • All package folders it references exist in the node_modules hierar‐
60 chy.
61
62 • No package folders exist in the node_modules hierarchy that are not
63 listed in the lockfile.
64
65 • The modified time of the file is at least as recent as all of the
66 package folders it references.
67
68
69 That is, the hidden lockfile will only be relevant if it was created as
70 part of the most recent update to the package tree. If another CLI mu‐
71 tates the tree in any way, this will be detected, and the hidden lock‐
72 file will be ignored.
73
74 Note that it is possible to manually change the contents of a package
75 in such a way that the modified time of the package folder is unaf‐
76 fected. For example, if you add a file to node_modules/foo/lib/bar.js,
77 then the modified time on node_modules/foo will not reflect this
78 change. If you are manually editing files in node_modules, it is gen‐
79 erally best to delete the file at node_modules/.package-lock.json.
80
81 As the hidden lockfile is ignored by older npm versions, it does not
82 contain the backwards compatibility affordances present in "normal"
83 lockfiles. That is, it is lockfileVersion: 3, rather than lockfileVer‐
84 sion: 2.
85
86 Handling Old Lockfiles
87 When npm detects a lockfile from npm v6 or before during the package
88 installation process, it is automatically updated to fetch missing in‐
89 formation from either the node_modules tree or (in the case of empty
90 node_modules trees or very old lockfile formats) the npm registry.
91
92 File Format
93 name
94 The name of the package this is a package-lock for. This will match
95 what's in package.json.
96
97 version
98 The version of the package this is a package-lock for. This will match
99 what's in package.json.
100
101 lockfileVersion
102 An integer version, starting at 1 with the version number of this docu‐
103 ment whose semantics were used when generating this package-lock.json.
104
105 Note that the file format changed significantly in npm v7 to track in‐
106 formation that would have otherwise required looking in node_modules or
107 the npm registry. Lockfiles generated by npm v7 will contain lock‐
108 fileVersion: 2.
109
110 • No version provided: an "ancient" shrinkwrap file from a version of
111 npm prior to npm v5.
112
113 • 1: The lockfile version used by npm v5 and v6.
114
115 • 2: The lockfile version used by npm v7, which is backwards compatible
116 to v1 lockfiles.
117
118 • 3: The lockfile version used by npm v7, without backwards compatibil‐
119 ity affordances. This is used for the hidden lockfile at node_mod‐
120 ules/.package-lock.json, and will likely be used in a future version
121 of npm, once support for npm v6 is no longer relevant.
122
123
124 npm will always attempt to get whatever data it can out of a lockfile,
125 even if it is not a version that it was designed to support.
126
127 packages
128 This is an object that maps package locations to an object containing
129 the information about that package.
130
131 The root project is typically listed with a key of "", and all other
132 packages are listed with their relative paths from the root project
133 folder.
134
135 Package descriptors have the following fields:
136
137 • version: The version found in package.json
138
139 • resolved: The place where the package was actually resolved from. In
140 the case of packages fetched from the registry, this will be a url to
141 a tarball. In the case of git dependencies, this will be the full
142 git url with commit sha. In the case of link dependencies, this will
143 be the location of the link target. registry.npmjs.org is a magic
144 value meaning "the currently configured registry".
145
146 • integrity: A sha512 or sha1 Standard Subresource Integrity
147 https://w3c.github.io/webappsec/specs/subresourceintegrity/ string
148 for the artifact that was unpacked in this location.
149
150 • link: A flag to indicate that this is a symbolic link. If this is
151 present, no other fields are specified, since the link target will
152 also be included in the lockfile.
153
154 • dev, optional, devOptional: If the package is strictly part of the
155 devDependencies tree, then dev will be true. If it is strictly part
156 of the optionalDependencies tree, then optional will be set. If it
157 is both a dev dependency and an optional dependency of a non-dev de‐
158 pendency, then devOptional will be set. (An optional dependency of a
159 dev dependency will have both dev and optional set.)
160
161 • inBundle: A flag to indicate that the package is a bundled depen‐
162 dency.
163
164 • hasInstallScript: A flag to indicate that the package has a prein‐
165 stall, install, or postinstall script.
166
167 • hasShrinkwrap: A flag to indicate that the package has an
168 npm-shrinkwrap.json file.
169
170 • bin, license, engines, dependencies, optionalDependencies: fields
171 from package.json
172
173
174 dependencies
175 Legacy data for supporting versions of npm that use lockfileVersion: 1.
176 This is a mapping of package names to dependency objects. Because the
177 object structure is strictly hierarchical, symbolic link dependencies
178 are somewhat challenging to represent in some cases.
179
180 npm v7 ignores this section entirely if a packages section is present,
181 but does keep it up to date in order to support switching between npm
182 v6 and npm v7.
183
184 Dependency objects have the following fields:
185
186 • version: a specifier that varies depending on the nature of the pack‐
187 age, and is usable in fetching a new copy of it.
188
189 • bundled dependencies: Regardless of source, this is a version num‐
190 ber that is purely for informational purposes.
191
192 • registry sources: This is a version number. (eg, 1.2.3)
193
194 • git sources: This is a git specifier with resolved committish. (eg,
195 git+https://exam‐
196 ple.com/foo/bar#115311855adb0789a0466714ed48a1499ffea97e)
197
198 • http tarball sources: This is the URL of the tarball. (eg,
199 https://example.com/example-1.3.0.tgz)
200
201 • local tarball sources: This is the file URL of the tarball. (eg
202 file:///opt/storage/example-1.3.0.tgz)
203
204 • local link sources: This is the file URL of the link. (eg
205 file:libs/our-module)
206
207
208 • integrity: A sha512 or sha1 Standard Subresource Integrity
209 https://w3c.github.io/webappsec/specs/subresourceintegrity/ string
210 for the artifact that was unpacked in this location. For git depen‐
211 dencies, this is the commit sha.
212
213 • resolved: For registry sources this is path of the tarball relative
214 to the registry URL. If the tarball URL isn't on the same server as
215 the registry URL then this is a complete URL. registry.npmjs.org is a
216 magic value meaning "the currently configured registry".
217
218 • bundled: If true, this is the bundled dependency and will be in‐
219 stalled by the parent module. When installing, this module will be
220 extracted from the parent module during the extract phase, not in‐
221 stalled as a separate dependency.
222
223 • dev: If true then this dependency is either a development dependency
224 ONLY of the top level module or a transitive dependency of one. This
225 is false for dependencies that are both a development dependency of
226 the top level and a transitive dependency of a non-development depen‐
227 dency of the top level.
228
229 • optional: If true then this dependency is either an optional depen‐
230 dency ONLY of the top level module or a transitive dependency of one.
231 This is false for dependencies that are both an optional dependency
232 of the top level and a transitive dependency of a non-optional depen‐
233 dency of the top level.
234
235 • requires: This is a mapping of module name to version. This is a
236 list of everything this module requires, regardless of where it will
237 be installed. The version should match via normal matching rules a
238 dependency either in our dependencies or in a level higher than us.
239
240 • dependencies: The dependencies of this dependency, exactly as at the
241 top level.
242
243
244 See also
245 • npm help shrinkwrap
246
247 • npm help npm-shrinkwrap.json
248
249 • npm help package.json
250
251 • npm help install
252
253
254
255
256 January 2022 PACKAGE-LOCK.JSON(5)