Demystifying the package-lock.json file — to commit or not commit?

Christina Hastenrath
2 min readJun 16
Photo by Flo P on Unsplash


We check the NPM package-lock.json file into our codebase because this is the industry standard as defined in the NPM docs.

2021 screenshot

Historically NPM package-lock file is the answer to yarns’ lock file and yarn recommended to check it in, so NPM adopted that recommendation.

What the package-lock.json file is

The package-lock file is a representation of the exact dependency tree installed at a certain point in time. It aids cross environmental collaboration, where everyone fetches dependencies from the same tree.

In addition, by committing the package-lock file, you can go back in history and replicate the exact dependency tree from that time.

In fact a monorepo is a repo with several package-lock.json files at different levels. Developers `cd` into those specific levels where each package-lock file applies.


If you npm i & notice the “package-lock.json” file was updated, chances are you are on the wrong version of NodeJS (& subsequently npm). To fix it:

rm package-lock.json; rm -rf node_modules; nvm use <node version>; npm i

package-lock.json is one of those files, where if there are ever conflicts, just blow it away, because it gets generated automatically.

We want to avoid a situation where we’re always checking in a new package-lock file, but for versioned code repositories and any other lock files, this does not apply.


NPM documentation
The Ultimate Guide to yarn.lock files

Christina Hastenrath

Molecular Biologist turned Software Engineer. I write about my code. Connect with me on Twitter @etTinchen