Node.jsframework~5 mins

package-lock.json and deterministic installs in Node.js

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Introduction

The package-lock.json file helps keep your project dependencies the same every time you install them. This means your app works the same way on your computer and on others.

When you want to make sure your project installs the exact same versions of packages every time.

When working in a team so everyone uses the same package versions.

Before deploying your app to production to avoid unexpected bugs from different package versions.

When you want faster installs because <code>package-lock.json</code> stores exact package info.

When you want to track changes in dependencies over time.

Syntax

Node.js

npm install
# This creates or updates package-lock.json automatically

The package-lock.json file is automatically created or updated when you run npm install.

Do not edit package-lock.json manually; let npm manage it.

Examples

This installs the lodash package and records the exact version and dependencies in package-lock.json.

Node.js

npm install lodash
# Adds lodash and updates package-lock.json

This command installs packages strictly following package-lock.json, ensuring deterministic installs.

Node.js

npm ci
# Installs dependencies exactly as in package-lock.json

Sample Program

This example shows how package-lock.json locks your dependencies. After installing a package like express, the lock file records exact versions. Using npm ci reinstalls those exact versions, even if newer versions exist.

Node.js

/*
1. Create a new folder and run:
   npm init -y
2. Run:
   npm install express
3. Check that package-lock.json is created.
4. Delete node_modules folder.
5. Run:
   npm ci
6. node_modules will be installed exactly as before.
*/

OutputSuccess

Important Notes

Always commit package-lock.json to your version control system (like Git) to share exact dependencies with your team.

Using npm ci is faster and more reliable for continuous integration and deployment because it uses package-lock.json strictly.

Summary

package-lock.json locks exact package versions to keep installs consistent.

Use npm install to create/update the lock file and npm ci for deterministic installs.

Commit package-lock.json to share exact dependencies with others.