For npm modification node_modules tree or any action package.json, a package-lock.json will be automatically generated. It describes the exact tree that is generated so that subsequent installations can generate the same tree, regardless of intermediate dependency updates.
This file is intended to be submitted to the source code repository and is available for various purposes:
Describes a single representation of the dependency tree to guarantee that teammates, deployments, and continuous integration ensure that the exact same dependencies are installed.
Provide users with a tool to "advance" to a previous node_modules state without having to commit the directory itself.
Facilitate greater visibility of tree changes through readable source control differences.
And optimize the installation process by allowing npm to skip the duplicate metadata resolution of previously installed packages.
A key detail about package-lock.json is that it cannot be released and will be ignored if found anywhere outside of the top-tier package. It shares the format with npm-shrinkwrap.json, it is basically the same file but allows publishing. This is not recommended unless you deploy a CLI tool or otherwise use the release process to produce a production package.
If both package-lock.json and npm-shrinkwrap.json exist in the root directory of a package, package-lock.json will be ignored entirely.
Original link: https://docs.npmjs.com/files/package-lock.json
Since the release of npm 5.x, the role of 5.6.0 lock has changed many times, and now many small white texts on the Internet are stuck in the previous document translation.
I updated from npm3.x to npm5, but found that the phenomenon when executing 'npm i' was not consistent with the popular science article on the Internet.
It is mentioned that no matter how package.json file is modified, if npm i is repeatedly executed, npm will be downloaded according to the version information described in the lock file.
It is also mentioned that when repeating npm i, npm will ignore the lock information and download the update module according to the Semantic versioning version information of the package in the package.json (lock seems to be useless).
**According to the information, the rules of npm i have changed three times since the release of npm 5.0. **
1. npm 5.0.x version, no matter how the package.json changes, npm i will be downloaded according to the lock file
package-lock.json file not updated after package.json file is changed · Issue #16866 · npm/npm https://github.com/npm/npm/issues/16866
This issue complains about this problem, obviously I changed the package.json manually, why don't you give me an upgrade package! And then it leads to the issue of 5.1.0...
2. After version 5.1.0, npm install will ignore the lock file to download the latest npm
Then someone raised this issue why is package-lock being ignored? · Issue #17979 · npm/npm https://github.com/npm/npm/issues/17979
The complaint eventually evolved into the rules after version 5.4.2.
3. After version 5.4.2, why is package-lock being ignored? · Issue #17979 · npm/npm https://github.com/npm/npm/issues/17979
Roughly speaking, if the package.json is changed, and the package.json is different from the lock file, npm will download the latest package according to the version number and semantic meaning of the package when executing 'npm i', and update it to lock.
If both are in the same state, then executing npm i will download according to lock, regardless of whether the actual package version is new or not.
|
Posted on 12/13/2017 1:17:45 PM
|
|
|
