npm v5.2+ comes with a
package-lock.json file that is generated when you install packages. This file should be versioned because it contains the information of every package installed.
The idea then becomes that instead of using package.json to resolve and install modules, npm will use the package-lock.json. Because the package-lock specifies a version, location and integrity hash for every module and each of its dependencies, the install it creates will be the same, every single time. It won’t matter what device you are on, or when in the future you install, it should give you the same result every time, which is very useful.
package-lock.json locks down the version of installed packages, what is the problem using
The problem lies in that your
package.json is not meaningful.
package.json does not tell you what version is actually installed, not even a clue.
- What if someone overrides the
package-lock.json or deletes it.
It is not the end of the world, but having a
package.json should give us a clue about the packages we have installed.
Of course you can see a list of your installed packages with versions:
npm list --depth=0 and also if you want to update packages, you can see the list of outdated ones:
Check out this article: Everything you wanted to know about package-lock.json but were too afraid to ask.