Do I need both package-lock.json and package.json

npmnpm-installpackage-lock.jsonpackage.json

After updating my NPM to the latest version (from 3.X to 5.2.0) and running npm install on an existing project, I get an auto-created package-lock.json file.

I can tell package-lock.json gives me an exact dependency tree as opposed to package.json.

From that info alone, it seems like package.json is redundant and not needed anymore.

Are both of them necessary for NPM to work?

Is it safe or possible to use only the package-lock.json file?

The docs on package-lock.json (doc1, doc2) doesn't mention anything about that.

Edit:

After some more thinking about it, I came to the conclusion that if someone wants to use your project with an older version of NPM (before 5.x) it would still install all of the dependencies, but with less accurate versions (patch versions)

Best Answer

Do you need both package-lock.json and package.json? No.

Do you need the package.json? Yes.

Can you have a project with only the package-lock.json? No.

The package.json is used for more than dependencies - like defining project properties, description, author & license information, scripts, etc. The package-lock.json is solely used to lock dependencies to a specific version number.

Related Solutions

Node.js – way to get version from package.json in nodejs code

I found that the following code fragment worked best for me. Since it uses require to load the package.json, it works regardless the current working directory.

var pjson = require('./package.json');
console.log(pjson.version);

A warning, courtesy of @Pathogen:

Doing this with Browserify has security implications.
Be careful not to expose your package.json to the client, as it means that all your dependency version numbers, build and test commands and more are sent to the client.
If you're building server and client in the same project, you expose your server-side version numbers too. Such specific data can be used by an attacker to better fit the attack on your server.

Node.js – Find the version of an installed npm package

npm list for local packages or npm list -g for globally installed packages.

You can find the version of a specific package by passing its name as an argument. For example, npm list grunt will result in:

projectName@projectVersion /path/to/project/folder
└── grunt@0.4.1

Alternatively, you can just run npm list without passing a package name as an argument to see the versions of all your packages:

├─┬ cli-color@0.1.6 
│ └── es5-ext@0.7.1 
├── coffee-script@1.3.3 
├── less@1.3.0 
├─┬ sentry@0.1.2 
│ ├── file@0.2.1 
│ └── underscore@1.3.3 
└── uglify-js@1.2.6

You can also add --depth=0 argument to list installed packages without their dependencies.

Best Answer

Related Solutions

Node.js – way to get version from package.json in nodejs code

Node.js – Find the version of an installed npm package

Related Topic