Do I need both package-lock.json and package.json?

2019-01-22 01:18发布

站内问答 / 后端开发
1555 2 6

After updating my NPM to the latest version (from 3.X to 5.2.0) and running npm install on an existing project, I get an auto-created package-lock.json file.

I can tell package-lock.json gives me an exact dependency tree as opposed to package.json.

From that info alone, it seems like package.json is redundant and not needed anymore.

Are both of them necessary for NPM to work?
Is it safe or possible to use only the package-lock.json file?

The docs on package-lock.json (doc1, doc2) doesn't mention anything about that.

Edit:

After some more thinking about it, I came to the conclusion that if someone wants to use your project with an older version of NPM (before 5.x) it would still install all of the dependencies, but with less accurate versions (patch versions)

2条回答
Animai°情兽
2楼-- · 2019-01-22 01:35

Do you need both package-lock.json and package.json? No.

Do you need the package.json? Yes.

Can you have a project with only the package-lock.json? No.

The package.json is used for more than dependencies - like defining project properties, description, author & license information, scripts, etc. The package-lock.json is solely used to lock dependencies to a specific version number.

查看更多
0人赞 添加讨论(0) 举报
不美不萌又怎样
3楼-- · 2019-01-22 01:41

If your question is if lock file should be committed to your source control - it should. It will be ignored under certain circumstance.

I found it bloating pull requests and commit history, so if you see it change, do a separate commit for it.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)