• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1<!DOCTYPE html><html><head>
2<meta charset="utf-8">
3<title>package-lock.json</title>
4<style>
5body {
6    background-color: #ffffff;
7    color: #24292e;
8
9    margin: 0;
10
11    line-height: 1.5;
12
13    font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji";
14}
15#rainbar {
16    height: 10px;
17    background-image: linear-gradient(139deg, #fb8817, #ff4b01, #c12127, #e02aff);
18}
19
20a {
21    text-decoration: none;
22    color: #0366d6;
23}
24a:hover {
25    text-decoration: underline;
26}
27
28pre {
29    margin: 1em 0px;
30    padding: 1em;
31    border: solid 1px #e1e4e8;
32    border-radius: 6px;
33
34    display: block;
35    overflow: auto;
36
37    white-space: pre;
38
39    background-color: #f6f8fa;
40    color: #393a34;
41}
42code {
43    font-family: SFMono-Regular, Consolas, "Liberation Mono", Menlo, Courier, monospace;
44    font-size: 85%;
45    padding: 0.2em 0.4em;
46    background-color: #f6f8fa;
47    color: #393a34;
48}
49pre > code {
50    padding: 0;
51    background-color: inherit;
52    color: inherit;
53}
54h1, h2, h3 {
55    font-weight: 600;
56}
57
58#logobar {
59    background-color: #333333;
60    margin: 0 auto;
61    padding: 1em 4em;
62}
63#logobar .logo {
64    float: left;
65}
66#logobar .title {
67    font-weight: 600;
68    color: #dddddd;
69    float: left;
70    margin: 5px 0 0 1em;
71}
72#logobar:after {
73    content: "";
74    display: block;
75    clear: both;
76}
77
78#content {
79    margin: 0 auto;
80    padding: 0 4em;
81}
82
83#table_of_contents > h2 {
84    font-size: 1.17em;
85}
86#table_of_contents ul:first-child {
87    border: solid 1px #e1e4e8;
88    border-radius: 6px;
89    padding: 1em;
90    background-color: #f6f8fa;
91    color: #393a34;
92}
93#table_of_contents ul {
94    list-style-type: none;
95    padding-left: 1.5em;
96}
97#table_of_contents li {
98    font-size: 0.9em;
99}
100#table_of_contents li a {
101    color: #000000;
102}
103
104header.title {
105    border-bottom: solid 1px #e1e4e8;
106}
107header.title > h1 {
108    margin-bottom: 0.25em;
109}
110header.title > .description {
111    display: block;
112    margin-bottom: 0.5em;
113    line-height: 1;
114}
115
116footer#edit {
117    border-top: solid 1px #e1e4e8;
118    margin: 3em 0 4em 0;
119    padding-top: 2em;
120}
121</style>
122</head>
123<body>
124<div id="banner">
125<div id="rainbar"></div>
126<div id="logobar">
127<svg class="logo" role="img" height="32" width="32" viewBox="0 0 700 700">
128<polygon fill="#cb0000" points="0,700 700,700 700,0 0,0"></polygon>
129<polygon fill="#ffffff" points="150,550 350,550 350,250 450,250 450,550 550,550 550,150 150,150"></polygon>
130</svg>
131<div class="title">
132npm command-line interface
133</div>
134</div>
135</div>
136
137<section id="content">
138<header class="title">
139<h1 id="package-lockjson">package-lock.json</h1>
140<span class="description">A manifestation of the manifest</span>
141</header>
142
143<section id="table_of_contents">
144<h2 id="table-of-contents">Table of contents</h2>
145<div id="_table_of_contents"><ul><li><a href="#description">Description</a></li><li><a href="#package-lockjson-vs-npm-shrinkwrapjson"><code>package-lock.json</code> vs <code>npm-shrinkwrap.json</code></a></li><li><a href="#hidden-lockfiles">Hidden Lockfiles</a></li><li><a href="#handling-old-lockfiles">Handling Old Lockfiles</a></li><li><a href="#file-format">File Format</a></li><ul><li><a href="#name"><code>name</code></a></li><li><a href="#version"><code>version</code></a></li><li><a href="#lockfileversion"><code>lockfileVersion</code></a></li><li><a href="#packages"><code>packages</code></a></li><li><a href="#dependencies">dependencies</a></li></ul><li><a href="#see-also">See also</a></li></ul></div>
146</section>
147
148<div id="_content"><h3 id="description">Description</h3>
149<p><code>package-lock.json</code> is automatically generated for any operations where npm
150modifies either the <code>node_modules</code> tree, or <code>package.json</code>. It describes the
151exact tree that was generated, such that subsequent installs are able to
152generate identical trees, regardless of intermediate dependency updates.</p>
153<p>This file is intended to be committed into source repositories, and serves
154various purposes:</p>
155<ul>
156<li>
157<p>Describe a single representation of a dependency tree such that
158teammates, deployments, and continuous integration are guaranteed to
159install exactly the same dependencies.</p>
160</li>
161<li>
162<p>Provide a facility for users to "time-travel" to previous states of
163<code>node_modules</code> without having to commit the directory itself.</p>
164</li>
165<li>
166<p>Facilitate greater visibility of tree changes through readable source
167control diffs.</p>
168</li>
169<li>
170<p>Optimize the installation process by allowing npm to skip repeated
171metadata resolutions for previously-installed packages.</p>
172</li>
173<li>
174<p>As of npm v7, lockfiles include enough information to gain a complete
175picture of the package tree, reducing the need to read <code>package.json</code>
176files, and allowing for significant performance improvements.</p>
177</li>
178</ul>
179<h3 id="package-lockjson-vs-npm-shrinkwrapjson"><code>package-lock.json</code> vs <code>npm-shrinkwrap.json</code></h3>
180<p>Both of these files have the same format, and perform similar functions in
181the root of a project.</p>
182<p>The difference is that <code>package-lock.json</code> cannot be published, and it will
183be ignored if found in any place other than the root project.</p>
184<p>In contrast, <a href="../configuring-npm/npm-shrinkwrap-json.html">npm-shrinkwrap.json</a> allows
185publication, and defines the dependency tree from the point encountered.
186This is not recommended unless deploying a CLI tool or otherwise using the
187publication process for producing production packages.</p>
188<p>If both <code>package-lock.json</code> and <code>npm-shrinkwrap.json</code> are present in the
189root of a project, <code>npm-shrinkwrap.json</code> will take precedence and
190<code>package-lock.json</code> will be ignored.</p>
191<h3 id="hidden-lockfiles">Hidden Lockfiles</h3>
192<p>In order to avoid processing the <code>node_modules</code> folder repeatedly, npm as
193of v7 uses a "hidden" lockfile present in
194<code>node_modules/.package-lock.json</code>.  This contains information about the
195tree, and is used in lieu of reading the entire <code>node_modules</code> hierarchy
196provided that the following conditions are met:</p>
197<ul>
198<li>All package folders it references exist in the <code>node_modules</code> hierarchy.</li>
199<li>No package folders exist in the <code>node_modules</code> hierarchy that are not
200listed in the lockfile.</li>
201<li>The modified time of the file is at least as recent as all of the package
202folders it references.</li>
203</ul>
204<p>That is, the hidden lockfile will only be relevant if it was created as
205part of the most recent update to the package tree.  If another CLI mutates
206the tree in any way, this will be detected, and the hidden lockfile will be
207ignored.</p>
208<p>Note that it <em>is</em> possible to manually change the <em>contents</em> of a package
209in such a way that the modified time of the package folder is unaffected.
210For example, if you add a file to <code>node_modules/foo/lib/bar.js</code>, then the
211modified time on <code>node_modules/foo</code> will not reflect this change.  If you
212are manually editing files in <code>node_modules</code>, it is generally best to
213delete the file at <code>node_modules/.package-lock.json</code>.</p>
214<p>As the hidden lockfile is ignored by older npm versions, it does not
215contain the backwards compatibility affordances present in "normal"
216lockfiles.  That is, it is <code>lockfileVersion: 3</code>, rather than
217<code>lockfileVersion: 2</code>.</p>
218<h3 id="handling-old-lockfiles">Handling Old Lockfiles</h3>
219<p>When npm detects a lockfile from npm v6 or before during the package
220installation process, it is automatically updated to fetch missing
221information from either the <code>node_modules</code> tree or (in the case of empty
222<code>node_modules</code> trees or very old lockfile formats) the npm registry.</p>
223<h3 id="file-format">File Format</h3>
224<h4 id="name"><code>name</code></h4>
225<p>The name of the package this is a package-lock for. This will match what's
226in <code>package.json</code>.</p>
227<h4 id="version"><code>version</code></h4>
228<p>The version of the package this is a package-lock for. This will match
229what's in <code>package.json</code>.</p>
230<h4 id="lockfileversion"><code>lockfileVersion</code></h4>
231<p>An integer version, starting at <code>1</code> with the version number of this
232document whose semantics were used when generating this
233<code>package-lock.json</code>.</p>
234<p>Note that the file format changed significantly in npm v7 to track
235information that would have otherwise required looking in <code>node_modules</code> or
236the npm registry.  Lockfiles generated by npm v7 will contain
237<code>lockfileVersion: 2</code>.</p>
238<ul>
239<li>No version provided: an "ancient" shrinkwrap file from a version of npm
240prior to npm v5.</li>
241<li><code>1</code>: The lockfile version used by npm v5 and v6.</li>
242<li><code>2</code>: The lockfile version used by npm v7 and v8. Backwards compatible to v1
243lockfiles.</li>
244<li><code>3</code>: The lockfile version used by npm v9 and above. Backwards compatible to npm v7.</li>
245</ul>
246<p>npm will always attempt to get whatever data it can out of a lockfile, even
247if it is not a version that it was designed to support.</p>
248<h4 id="packages"><code>packages</code></h4>
249<p>This is an object that maps package locations to an object containing the
250information about that package.</p>
251<p>The root project is typically listed with a key of <code>""</code>, and all other
252packages are listed with their relative paths from the root project folder.</p>
253<p>Package descriptors have the following fields:</p>
254<ul>
255<li>
256<p>version: The version found in <code>package.json</code></p>
257</li>
258<li>
259<p>resolved: The place where the package was actually resolved from.  In
260the case of packages fetched from the registry, this will be a url to a
261tarball.  In the case of git dependencies, this will be the full git url
262with commit sha.  In the case of link dependencies, this will be the
263location of the link target. <code>registry.npmjs.org</code> is a magic value meaning
264"the currently configured registry".</p>
265</li>
266<li>
267<p>integrity: A <code>sha512</code> or <code>sha1</code> <a href="https://w3c.github.io/webappsec/specs/subresourceintegrity/">Standard Subresource
268Integrity</a>
269string for the artifact that was unpacked in this location.</p>
270</li>
271<li>
272<p>link: A flag to indicate that this is a symbolic link.  If this is
273present, no other fields are specified, since the link target will also
274be included in the lockfile.</p>
275</li>
276<li>
277<p>dev, optional, devOptional: If the package is strictly part of the
278<code>devDependencies</code> tree, then <code>dev</code> will be true.  If it is strictly part
279of the <code>optionalDependencies</code> tree, then <code>optional</code> will be set.  If it
280is both a <code>dev</code> dependency <em>and</em> an <code>optional</code> dependency of a non-dev
281dependency, then <code>devOptional</code> will be set.  (An <code>optional</code> dependency of
282a <code>dev</code> dependency will have both <code>dev</code> and <code>optional</code> set.)</p>
283</li>
284<li>
285<p>inBundle: A flag to indicate that the package is a bundled dependency.</p>
286</li>
287<li>
288<p>hasInstallScript: A flag to indicate that the package has a <code>preinstall</code>,
289<code>install</code>, or <code>postinstall</code> script.</p>
290</li>
291<li>
292<p>hasShrinkwrap: A flag to indicate that the package has an
293<code>npm-shrinkwrap.json</code> file.</p>
294</li>
295<li>
296<p>bin, license, engines, dependencies, optionalDependencies: fields from
297<code>package.json</code></p>
298</li>
299</ul>
300<h4 id="dependencies">dependencies</h4>
301<p>Legacy data for supporting versions of npm that use <code>lockfileVersion: 1</code>.
302This is a mapping of package names to dependency objects.  Because the
303object structure is strictly hierarchical, symbolic link dependencies are
304somewhat challenging to represent in some cases.</p>
305<p>npm v7 ignores this section entirely if a <code>packages</code> section is present,
306but does keep it up to date in order to support switching between npm v6
307and npm v7.</p>
308<p>Dependency objects have the following fields:</p>
309<ul>
310<li>
311<p>version: a specifier that varies depending on the nature of the package,
312and is usable in fetching a new copy of it.</p>
313<ul>
314<li>bundled dependencies: Regardless of source, this is a version number
315that is purely for informational purposes.</li>
316<li>registry sources: This is a version number. (eg, <code>1.2.3</code>)</li>
317<li>git sources: This is a git specifier with resolved committish. (eg,
318<code>git+https://example.com/foo/bar#115311855adb0789a0466714ed48a1499ffea97e</code>)</li>
319<li>http tarball sources: This is the URL of the tarball. (eg,
320<code>https://example.com/example-1.3.0.tgz</code>)</li>
321<li>local tarball sources: This is the file URL of the tarball. (eg
322<code>file:///opt/storage/example-1.3.0.tgz</code>)</li>
323<li>local link sources: This is the file URL of the link. (eg
324<code>file:libs/our-module</code>)</li>
325</ul>
326</li>
327<li>
328<p>integrity: A <code>sha512</code> or <code>sha1</code> <a href="https://w3c.github.io/webappsec/specs/subresourceintegrity/">Standard Subresource
329Integrity</a>
330string for the artifact that was unpacked in this location.  For git
331dependencies, this is the commit sha.</p>
332</li>
333<li>
334<p>resolved: For registry sources this is path of the tarball relative to
335the registry URL.  If the tarball URL isn't on the same server as the
336registry URL then this is a complete URL. <code>registry.npmjs.org</code> is a magic
337value meaning "the currently configured registry".</p>
338</li>
339<li>
340<p>bundled:  If true, this is the bundled dependency and will be installed
341by the parent module.  When installing, this module will be extracted
342from the parent module during the extract phase, not installed as a
343separate dependency.</p>
344</li>
345<li>
346<p>dev: If true then this dependency is either a development dependency ONLY
347of the top level module or a transitive dependency of one.  This is false
348for dependencies that are both a development dependency of the top level
349and a transitive dependency of a non-development dependency of the top
350level.</p>
351</li>
352<li>
353<p>optional: If true then this dependency is either an optional dependency
354ONLY of the top level module or a transitive dependency of one.  This is
355false for dependencies that are both an optional dependency of the top
356level and a transitive dependency of a non-optional dependency of the top
357level.</p>
358</li>
359<li>
360<p>requires: This is a mapping of module name to version.  This is a list of
361everything this module requires, regardless of where it will be
362installed.  The version should match via normal matching rules a
363dependency either in our <code>dependencies</code> or in a level higher than us.</p>
364</li>
365<li>
366<p>dependencies: The dependencies of this dependency, exactly as at the top
367level.</p>
368</li>
369</ul>
370<h3 id="see-also">See also</h3>
371<ul>
372<li><a href="../commands/npm-shrinkwrap.html">npm shrinkwrap</a></li>
373<li><a href="../configuring-npm/npm-shrinkwrap-json.html">npm-shrinkwrap.json</a></li>
374<li><a href="../configuring-npm/package-json.html">package.json</a></li>
375<li><a href="../commands/npm-install.html">npm install</a></li>
376</ul></div>
377
378<footer id="edit">
379<a href="https://github.com/npm/cli/edit/latest/docs/content/configuring-npm/package-lock-json.md">
380<svg role="img" viewBox="0 0 16 16" width="16" height="16" fill="currentcolor" style="vertical-align: text-bottom; margin-right: 0.3em;">
381<path fill-rule="evenodd" d="M11.013 1.427a1.75 1.75 0 012.474 0l1.086 1.086a1.75 1.75 0 010 2.474l-8.61 8.61c-.21.21-.47.364-.756.445l-3.251.93a.75.75 0 01-.927-.928l.929-3.25a1.75 1.75 0 01.445-.758l8.61-8.61zm1.414 1.06a.25.25 0 00-.354 0L10.811 3.75l1.439 1.44 1.263-1.263a.25.25 0 000-.354l-1.086-1.086zM11.189 6.25L9.75 4.81l-6.286 6.287a.25.25 0 00-.064.108l-.558 1.953 1.953-.558a.249.249 0 00.108-.064l6.286-6.286z"></path>
382</svg>
383Edit this page on GitHub
384</a>
385</footer>
386</section>
387
388
389
390</body></html>