Demystifying the package-lock.json file — to commit or not commit?

Christina Hastenrath
2 min readJun 16, 2023
Photo by Flo P on Unsplash

TLDR;

We check the NPM package-lock.json file into our codebase because this is the industry standard as defined in the NPM docs.

2021 screenshot https://docs.npmjs.com/cli/v8/configuring-npm/package-lock-json?v=true

Historically NPM package-lock file is the answer to yarns’ lock file and yarn recommended to check it in, so NPM adopted that recommendation.

What the package-lock.json file is

The package-lock file is a representation of the exact dependency tree installed at a certain point in time. It aids cross environmental collaboration, where everyone fetches dependencies from the same tree.

In addition, by committing the package-lock file, you can go back in history and replicate the exact dependency tree from that time.

In fact a monorepo is a repo with several package-lock.json files at different levels. Developers `cd` into those specific levels where each package-lock file applies.

Recommendations:

If you npm i & notice the “package-lock.json” file was updated, chances are you are on the wrong version of NodeJS (& subsequently npm). To fix it:

rm package-lock.json; rm -rf node_modules; nvm use <node version>; npm i

package-lock.json is one of those files, where if there are ever conflicts, just blow it away, because it gets generated automatically.

We want to avoid a situation where we’re always checking in a new package-lock file, but for versioned code repositories and any other lock files, this does not apply.

Resources

NPM documentation
The Ultimate Guide to yarn.lock files

--

--

Christina Hastenrath

Molecular Biologist turned Software Engineer. I write about my code. Connect with me on Twitter @etTinchen