Bird
Raised Fist0
Node.jsframework~5 mins

package-lock.json and deterministic installs in Node.js - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is the purpose of package-lock.json in a Node.js project?

package-lock.json locks the exact versions of all installed packages and their dependencies. It ensures that everyone working on the project installs the same versions, making installs predictable and consistent.

Click to reveal answer
beginner
How does package-lock.json help with deterministic installs?

It records the full dependency tree with exact versions and sources. When you run npm install, npm uses this file to install the exact same versions every time, avoiding surprises from updated packages.

Click to reveal answer
beginner
True or False: package-lock.json should be committed to version control.

True. Committing package-lock.json ensures all team members and deployment environments use the same package versions, improving reliability.

Click to reveal answer
intermediate
What happens if package-lock.json is missing when running npm install?

npm will resolve package versions based on package.json rules and fetch the latest matching versions. This can lead to different versions installed on different machines, breaking deterministic installs.

Click to reveal answer
intermediate
Explain the difference between package.json and package-lock.json.

package.json lists the packages your project needs with version ranges (like ^1.2.0). package-lock.json records the exact versions installed, including nested dependencies, to ensure consistent installs.

Click to reveal answer
What file ensures that npm installs the exact same package versions every time?
Apackage.json
Bpackage-lock.json
C.npmrc
Dnode_modules
If package-lock.json is deleted, what is likely to happen on the next npm install?
Anpm installs exact same versions as before
Bnpm fails to install any packages
Cnpm installs latest matching versions based on <code>package.json</code>
Dnpm ignores <code>package.json</code>
Should package-lock.json be committed to git?
AYes, to ensure consistent installs
BNo, it should be ignored
COnly for production projects
DOnly if using yarn
Which file lists your project’s direct dependencies with version ranges?
Apackage.json
Bpackage-lock.json
Cnpm-shrinkwrap.json
Dnode_modules
What is the main benefit of deterministic installs?
AFaster internet speed
BAutomatic code formatting
CSmaller package sizes
DConsistent package versions across installs
Describe how package-lock.json helps maintain consistent package versions in a team project.
Think about how to avoid different versions on different machines.
You got /4 concepts.
    Explain the difference between package.json and package-lock.json and why both are important.
    One is a wish list, the other is a snapshot.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of the package-lock.json file in a Node.js project?
      easy
      A. To store user credentials for npm registry
      B. To list all available npm packages globally
      C. To configure environment variables for the project
      D. To lock exact versions of installed packages for consistent installs

      Solution

      1. Step 1: Understand the role of package-lock.json

        This file records the exact versions of all installed packages and their dependencies.

      2. Step 2: Compare with other options

        Options A, B, and D describe unrelated functions not handled by package-lock.json.

      3. Final Answer:

        To lock exact versions of installed packages for consistent installs -> Option D

      4. Quick Check:

        Locking versions = C [OK]
      Hint: Remember: lock file fixes versions to avoid surprises [OK]
      Common Mistakes:
      • Confusing package-lock.json with package.json
      • Thinking it stores user or environment info
      • Assuming it lists global packages
      2. Which command should you run to install packages exactly as specified in package-lock.json without updating it?
      easy
      A. npm ci
      B. npm update
      C. npm init
      D. npm install

      Solution

      1. Step 1: Identify the command for deterministic installs

        npm ci installs packages exactly as locked in package-lock.json without modifying it.

      2. Step 2: Understand other commands

        npm install may update the lock file; npm update upgrades packages; npm init initializes a new project.

      3. Final Answer:

        npm ci -> Option A

      4. Quick Check:

        Deterministic install = npm ci [OK]
      Hint: Use npm ci for exact installs, no changes [OK]
      Common Mistakes:
      • Using npm install which can update lock file
      • Confusing npm update with install
      • Thinking npm init installs packages
      3. Given a project with package-lock.json committed, what happens when a teammate runs npm install on their machine?
      medium
      A. They install latest package versions ignoring package-lock.json
      B. They install exact package versions locked in package-lock.json
      C. They only install packages listed in package.json without lock file
      D. They get an error because package-lock.json is ignored

      Solution

      1. Step 1: Understand npm install behavior with package-lock.json

        When package-lock.json exists, npm install installs the exact versions locked in it to keep consistency.

      2. Step 2: Evaluate other options

        Installing latest package versions ignoring package-lock.json is wrong because npm install respects the lock file. Only installing packages listed in package.json without considering the lock file is incorrect. No error occurs because of the package-lock.json file.

      3. Final Answer:

        They install exact package versions locked in package-lock.json -> Option B

      4. Quick Check:

        Install respects lock file = A [OK]
      Hint: Lock file guides install versions unless deleted [OK]
      Common Mistakes:
      • Assuming npm install ignores package-lock.json
      • Thinking it installs latest versions always
      • Believing npm install errors if lock file exists
      4. You run npm ci but get an error saying the package-lock.json file is missing. What is the likely cause?
      medium
      A. You forgot to commit package-lock.json to the repository
      B. npm ci requires package.json only, not package-lock.json
      C. Your Node.js version is too old to support npm ci
      D. You need to run npm install first to generate package.json

      Solution

      1. Step 1: Understand npm ci requirements

        npm ci requires a valid package-lock.json file to install exact versions.

      2. Step 2: Identify cause of missing lock file error

        If the lock file is missing, it is often because it was not committed or shared in the project repository.

      3. Final Answer:

        You forgot to commit package-lock.json to the repository -> Option A

      4. Quick Check:

        Missing lock file = forgot to commit [OK]
      Hint: Always commit package-lock.json for npm ci [OK]
      Common Mistakes:
      • Thinking npm ci works without lock file
      • Assuming Node.js version causes this error
      • Confusing package.json with lock file
      5. You want to ensure your CI/CD pipeline installs dependencies exactly as your team tested, avoiding any version drift. Which approach best achieves this?
      hard
      A. Run npm update before every build to get latest packages
      B. Run npm install and commit package.json only
      C. Run npm ci and commit both package.json and package-lock.json
      D. Delete package-lock.json and run npm install fresh each time

      Solution

      1. Step 1: Identify the goal of deterministic installs in CI/CD

        To avoid version drift, installs must use exact versions tested by the team.

      2. Step 2: Choose the correct commands and files to commit

        npm ci installs exactly from package-lock.json, so committing both files and using npm ci ensures consistency.

      3. Step 3: Evaluate other options

        Run npm install and commit package.json only risks version drift; C updates packages which breaks consistency; D removes lock file causing unpredictable installs.

      4. Final Answer:

        Run npm ci and commit both package.json and package-lock.json -> Option C

      5. Quick Check:

        CI consistency = npm ci + commit lock file [OK]
      Hint: Use npm ci with committed lock file for CI [OK]
      Common Mistakes:
      • Not committing package-lock.json
      • Using npm install in CI causing version drift
      • Running npm update in CI builds