Bird
Raised Fist0
Node.jsframework~5 mins

package-lock.json and deterministic installs in Node.js

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction

The package-lock.json file helps keep your project dependencies the same every time you install them. This means your app works the same way on your computer and on others.

When you want to make sure your project installs the exact same versions of packages every time.
When working in a team so everyone uses the same package versions.
Before deploying your app to production to avoid unexpected bugs from different package versions.
When you want faster installs because <code>package-lock.json</code> stores exact package info.
When you want to track changes in dependencies over time.
Syntax
Node.js
npm install
# This creates or updates package-lock.json automatically

The package-lock.json file is automatically created or updated when you run npm install.

Do not edit package-lock.json manually; let npm manage it.

Examples
This installs the lodash package and records the exact version and dependencies in package-lock.json.
Node.js
npm install lodash
# Adds lodash and updates package-lock.json
This command installs packages strictly following package-lock.json, ensuring deterministic installs.
Node.js
npm ci
# Installs dependencies exactly as in package-lock.json
Sample Program

This example shows how package-lock.json locks your dependencies. After installing a package like express, the lock file records exact versions. Using npm ci reinstalls those exact versions, even if newer versions exist.

Node.js
/*
1. Create a new folder and run:
   npm init -y
2. Run:
   npm install express
3. Check that package-lock.json is created.
4. Delete node_modules folder.
5. Run:
   npm ci
6. node_modules will be installed exactly as before.
*/
OutputSuccess
Important Notes

Always commit package-lock.json to your version control system (like Git) to share exact dependencies with your team.

Using npm ci is faster and more reliable for continuous integration and deployment because it uses package-lock.json strictly.

Summary

package-lock.json locks exact package versions to keep installs consistent.

Use npm install to create/update the lock file and npm ci for deterministic installs.

Commit package-lock.json to share exact dependencies with others.

Practice

(1/5)
1. What is the main purpose of the package-lock.json file in a Node.js project?
easy
A. To store user credentials for npm registry
B. To list all available npm packages globally
C. To configure environment variables for the project
D. To lock exact versions of installed packages for consistent installs

Solution

  1. Step 1: Understand the role of package-lock.json

    This file records the exact versions of all installed packages and their dependencies.

  2. Step 2: Compare with other options

    Options A, B, and D describe unrelated functions not handled by package-lock.json.

  3. Final Answer:

    To lock exact versions of installed packages for consistent installs -> Option D

  4. Quick Check:

    Locking versions = C [OK]
Hint: Remember: lock file fixes versions to avoid surprises [OK]
Common Mistakes:
  • Confusing package-lock.json with package.json
  • Thinking it stores user or environment info
  • Assuming it lists global packages
2. Which command should you run to install packages exactly as specified in package-lock.json without updating it?
easy
A. npm ci
B. npm update
C. npm init
D. npm install

Solution

  1. Step 1: Identify the command for deterministic installs

    npm ci installs packages exactly as locked in package-lock.json without modifying it.

  2. Step 2: Understand other commands

    npm install may update the lock file; npm update upgrades packages; npm init initializes a new project.

  3. Final Answer:

    npm ci -> Option A

  4. Quick Check:

    Deterministic install = npm ci [OK]
Hint: Use npm ci for exact installs, no changes [OK]
Common Mistakes:
  • Using npm install which can update lock file
  • Confusing npm update with install
  • Thinking npm init installs packages
3. Given a project with package-lock.json committed, what happens when a teammate runs npm install on their machine?
medium
A. They install latest package versions ignoring package-lock.json
B. They install exact package versions locked in package-lock.json
C. They only install packages listed in package.json without lock file
D. They get an error because package-lock.json is ignored

Solution

  1. Step 1: Understand npm install behavior with package-lock.json

    When package-lock.json exists, npm install installs the exact versions locked in it to keep consistency.

  2. Step 2: Evaluate other options

    Installing latest package versions ignoring package-lock.json is wrong because npm install respects the lock file. Only installing packages listed in package.json without considering the lock file is incorrect. No error occurs because of the package-lock.json file.

  3. Final Answer:

    They install exact package versions locked in package-lock.json -> Option B

  4. Quick Check:

    Install respects lock file = A [OK]
Hint: Lock file guides install versions unless deleted [OK]
Common Mistakes:
  • Assuming npm install ignores package-lock.json
  • Thinking it installs latest versions always
  • Believing npm install errors if lock file exists
4. You run npm ci but get an error saying the package-lock.json file is missing. What is the likely cause?
medium
A. You forgot to commit package-lock.json to the repository
B. npm ci requires package.json only, not package-lock.json
C. Your Node.js version is too old to support npm ci
D. You need to run npm install first to generate package.json

Solution

  1. Step 1: Understand npm ci requirements

    npm ci requires a valid package-lock.json file to install exact versions.

  2. Step 2: Identify cause of missing lock file error

    If the lock file is missing, it is often because it was not committed or shared in the project repository.

  3. Final Answer:

    You forgot to commit package-lock.json to the repository -> Option A

  4. Quick Check:

    Missing lock file = forgot to commit [OK]
Hint: Always commit package-lock.json for npm ci [OK]
Common Mistakes:
  • Thinking npm ci works without lock file
  • Assuming Node.js version causes this error
  • Confusing package.json with lock file
5. You want to ensure your CI/CD pipeline installs dependencies exactly as your team tested, avoiding any version drift. Which approach best achieves this?
hard
A. Run npm update before every build to get latest packages
B. Run npm install and commit package.json only
C. Run npm ci and commit both package.json and package-lock.json
D. Delete package-lock.json and run npm install fresh each time

Solution

  1. Step 1: Identify the goal of deterministic installs in CI/CD

    To avoid version drift, installs must use exact versions tested by the team.

  2. Step 2: Choose the correct commands and files to commit

    npm ci installs exactly from package-lock.json, so committing both files and using npm ci ensures consistency.

  3. Step 3: Evaluate other options

    Run npm install and commit package.json only risks version drift; C updates packages which breaks consistency; D removes lock file causing unpredictable installs.

  4. Final Answer:

    Run npm ci and commit both package.json and package-lock.json -> Option C

  5. Quick Check:

    CI consistency = npm ci + commit lock file [OK]
Hint: Use npm ci with committed lock file for CI [OK]
Common Mistakes:
  • Not committing package-lock.json
  • Using npm install in CI causing version drift
  • Running npm update in CI builds