Bird
Raised Fist0
Node.jsframework~20 mins

package-lock.json and deterministic installs in Node.js - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Lock File Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
1:30remaining
What is the main purpose of package-lock.json?
Why does Node.js create a package-lock.json file when you install packages?
ATo store user credentials for npm registry access
BTo lock the exact versions of installed packages for consistent installs across environments
CTo list all outdated packages that need updating
DTo define scripts for running tests and builds
Attempts:
2 left
💡 Hint
Think about how to make sure everyone gets the same package versions.
component_behavior
intermediate
1:30remaining
What happens if package-lock.json is deleted before npm install?
If you delete package-lock.json and then run npm install, what is the most likely outcome?
Anpm installs only devDependencies and skips regular dependencies
Bnpm refuses to install any packages without package-lock.json
Cnpm installs packages exactly as before without any changes
Dnpm installs the latest compatible versions based on package.json, possibly different from before
Attempts:
2 left
💡 Hint
Without the lock file, npm has no record of exact versions.
📝 Syntax
advanced
2:00remaining
Identify the error in this package-lock.json snippet
Look at this snippet from a package-lock.json file. What is wrong with it?
Node.js
{
  "name": "my-app",
  "version": "1.0.0",
  "lockfileVersion": 2,
  "dependencies": {
    "express": {
      "version": "4.17.1",
      "resolved": "https://registry.npmjs.org/express/-/express-4.17.1.tgz",
      "integrity": "sha512-...",
      "requires": {
        "accepts": "~1.3.7"
      }
    }
  },
  "devDependencies": {}
}
AMissing comma after the dependencies object before devDependencies
BThe version field should be a number, not a string
ClockfileVersion must be 1, not 2
DThe integrity field should be a boolean, not a string
Attempts:
2 left
💡 Hint
Check JSON syntax carefully between objects.
state_output
advanced
2:00remaining
What version of lodash will be installed?
Given this package.json and package-lock.json snippet, what version of lodash will npm install?
Node.js
{
  "dependencies": {
    "lodash": "^4.17.15"
  }
}

// package-lock.json snippet:
{
  "name": "my-app",
  "lockfileVersion": 2,
  "dependencies": {
    "lodash": {
      "version": "4.17.21",
      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
      "integrity": "sha512-..."
    }
  }
}
A4.17.21 (the version locked in package-lock.json)
B4.17.15 (the minimum version specified in package.json)
CThe latest lodash version available on npm
DInstallation will fail due to version conflict
Attempts:
2 left
💡 Hint
npm prefers the lock file version for installs.
🔧 Debug
expert
2:30remaining
Why does npm install produce different results on two machines?
Two developers run npm install on the same project with the same package.json but different package-lock.json files. What is the most likely cause of different installed package versions?
Anpm caches are always cleared on install, so versions differ randomly
Bpackage.json overrides package-lock.json during install
CThe package-lock.json files differ, causing npm to install different exact versions
Dnpm install ignores package-lock.json if node_modules exists
Attempts:
2 left
💡 Hint
Check if the lock files are identical on both machines.

Practice

(1/5)
1. What is the main purpose of the package-lock.json file in a Node.js project?
easy
A. To store user credentials for npm registry
B. To list all available npm packages globally
C. To configure environment variables for the project
D. To lock exact versions of installed packages for consistent installs

Solution

  1. Step 1: Understand the role of package-lock.json

    This file records the exact versions of all installed packages and their dependencies.

  2. Step 2: Compare with other options

    Options A, B, and D describe unrelated functions not handled by package-lock.json.

  3. Final Answer:

    To lock exact versions of installed packages for consistent installs -> Option D

  4. Quick Check:

    Locking versions = C [OK]
Hint: Remember: lock file fixes versions to avoid surprises [OK]
Common Mistakes:
  • Confusing package-lock.json with package.json
  • Thinking it stores user or environment info
  • Assuming it lists global packages
2. Which command should you run to install packages exactly as specified in package-lock.json without updating it?
easy
A. npm ci
B. npm update
C. npm init
D. npm install

Solution

  1. Step 1: Identify the command for deterministic installs

    npm ci installs packages exactly as locked in package-lock.json without modifying it.

  2. Step 2: Understand other commands

    npm install may update the lock file; npm update upgrades packages; npm init initializes a new project.

  3. Final Answer:

    npm ci -> Option A

  4. Quick Check:

    Deterministic install = npm ci [OK]
Hint: Use npm ci for exact installs, no changes [OK]
Common Mistakes:
  • Using npm install which can update lock file
  • Confusing npm update with install
  • Thinking npm init installs packages
3. Given a project with package-lock.json committed, what happens when a teammate runs npm install on their machine?
medium
A. They install latest package versions ignoring package-lock.json
B. They install exact package versions locked in package-lock.json
C. They only install packages listed in package.json without lock file
D. They get an error because package-lock.json is ignored

Solution

  1. Step 1: Understand npm install behavior with package-lock.json

    When package-lock.json exists, npm install installs the exact versions locked in it to keep consistency.

  2. Step 2: Evaluate other options

    Installing latest package versions ignoring package-lock.json is wrong because npm install respects the lock file. Only installing packages listed in package.json without considering the lock file is incorrect. No error occurs because of the package-lock.json file.

  3. Final Answer:

    They install exact package versions locked in package-lock.json -> Option B

  4. Quick Check:

    Install respects lock file = A [OK]
Hint: Lock file guides install versions unless deleted [OK]
Common Mistakes:
  • Assuming npm install ignores package-lock.json
  • Thinking it installs latest versions always
  • Believing npm install errors if lock file exists
4. You run npm ci but get an error saying the package-lock.json file is missing. What is the likely cause?
medium
A. You forgot to commit package-lock.json to the repository
B. npm ci requires package.json only, not package-lock.json
C. Your Node.js version is too old to support npm ci
D. You need to run npm install first to generate package.json

Solution

  1. Step 1: Understand npm ci requirements

    npm ci requires a valid package-lock.json file to install exact versions.

  2. Step 2: Identify cause of missing lock file error

    If the lock file is missing, it is often because it was not committed or shared in the project repository.

  3. Final Answer:

    You forgot to commit package-lock.json to the repository -> Option A

  4. Quick Check:

    Missing lock file = forgot to commit [OK]
Hint: Always commit package-lock.json for npm ci [OK]
Common Mistakes:
  • Thinking npm ci works without lock file
  • Assuming Node.js version causes this error
  • Confusing package.json with lock file
5. You want to ensure your CI/CD pipeline installs dependencies exactly as your team tested, avoiding any version drift. Which approach best achieves this?
hard
A. Run npm update before every build to get latest packages
B. Run npm install and commit package.json only
C. Run npm ci and commit both package.json and package-lock.json
D. Delete package-lock.json and run npm install fresh each time

Solution

  1. Step 1: Identify the goal of deterministic installs in CI/CD

    To avoid version drift, installs must use exact versions tested by the team.

  2. Step 2: Choose the correct commands and files to commit

    npm ci installs exactly from package-lock.json, so committing both files and using npm ci ensures consistency.

  3. Step 3: Evaluate other options

    Run npm install and commit package.json only risks version drift; C updates packages which breaks consistency; D removes lock file causing unpredictable installs.

  4. Final Answer:

    Run npm ci and commit both package.json and package-lock.json -> Option C

  5. Quick Check:

    CI consistency = npm ci + commit lock file [OK]
Hint: Use npm ci with committed lock file for CI [OK]
Common Mistakes:
  • Not committing package-lock.json
  • Using npm install in CI causing version drift
  • Running npm update in CI builds