Provided by: npm_5.8.0+ds6-4_all 
NAME
npm-package-locks - An explanation of npm lockfiles
DESCRIPTION
Conceptually, the "input" to npm help install is a npm help 5 package.json, while its
"output" is a fully-formed node_modules tree: a representation of the dependencies you
declared. In an ideal world, npm would work like a pure function: the same package.json
should produce the exact same node_modules tree, any time. In some cases, this is indeed
true. But in many others, npm is unable to do this. There are multiple reasons for this:
· different versions of npm (or other package managers) may have been used to install a
package, each using slightly different installation algorithms.
· a new version of a direct semver-range package may have been published since the last
time your packages were installed, and thus a newer version will be used.
· A dependency of one of your dependencies may have published a new version, which will
update even if you used pinned dependency specifiers (1.2.3 instead of ^1.2.3)
· The registry you installed from is no longer available, or allows mutation of versions
(unlike the primary npm registry), and a different version of a package exists under the
same version number now.
As an example, consider package A:
{
"name": "A",
"version": "0.1.0",
"dependencies": {
"B": "<0.1.0"
}
}
package B:
{
"name": "B",
"version": "0.0.1",
"dependencies": {
"C": "<0.1.0"
}
}
and package C:
{
"name": "C",
"version": "0.0.1"
}
If these are the only versions of A, B, and C available in the registry, then a normal npm
install A will install:
A@0.1.0
`-- B@0.0.1
`-- C@0.0.1
However, if B@0.0.2 is published, then a fresh npm install A will install:
A@0.1.0
`-- B@0.0.2
`-- C@0.0.1
assuming the new version did not modify B's dependencies. Of course, the new version of B
could include a new version of C and any number of new dependencies. If such changes are
undesirable, the author of A could specify a dependency on B@0.0.1. However, if A's author
and B's author are not the same person, there's no way for A's author to say that he or
she does not want to pull in newly published versions of C when B hasn't changed at all.
To prevent this potential issue, npm uses npm help 5 package-lock.json or, if present, npm
help 5 shrinkwrap.json. These files are called package locks, or lockfiles.
Whenever you run npm install, npm generates or updates your package lock, which will look
something like this:
{
"name": "A",
"version": "0.1.0",
...metadata fields...
"dependencies": {
"B": {
"version": "0.0.1",
"resolved": "https://registry.npmjs.org/B/-/B-0.0.1.tgz",
"integrity": "sha512-DeAdb33F+"
"dependencies": {
"C": {
"version": "git://github.com/org/C.git#5c380ae319fc4efe9e7f2d9c78b0faa588fd99b4"
}
}
}
}
}
This file describes an exact, and more importantly reproducible node_modules tree. Once
it's present, any future installation will base its work off this file, instead of
recalculating dependency versions off npm help 5 package.json.
The presence of a package lock changes the installation behavior such that:
1. The module tree described by the package lock is reproduced. This means reproducing the
structure described in the file, using the specific files referenced in "resolved" if
available, falling back to normal package resolution using "version" if one isn't.
2. The tree is walked and any missing dependencies are installed in the usual fashion.
If preshrinkwrap, shrinkwrap or postshrinkwrap are in the scripts property of the
package.json, they will be executed in order. preshrinkwrap and shrinkwrap are executed
before the shrinkwrap, postshrinkwrap is executed afterwards. These scripts run for both
package-lock.json and npm-shrinkwrap.json. For example to run some postprocessing on the
generated file:
"scripts": {
"postshrinkwrap": "json -I -e \"this.myMetadata = $MY_APP_METADATA\""
}
Using locked packages
Using a locked package is no different than using any package without a package lock: any
commands that update node_modules and/or package.json's dependencies will automatically
sync the existing lockfile. This includes npm install, npm rm, npm update, etc. To prevent
this update from happening, you can use the --no-save option to prevent saving altogether,
or --no-shrinkwrap to allow package.json to be updated while leaving package-lock.json or
npm-shrinkwrap.json intact.
It is highly recommended you commit the generated package lock to source control: this
will allow anyone else on your team, your deployments, your CI/continuous integration, and
anyone else who runs npm install in your package source to get the exact same dependency
tree that you were developing on. Additionally, the diffs from these changes are
human-readable and will inform you of any changes npm has made to your node_modules, so
you can notice if any transitive dependencies were updated, hoisted, etc.
Resolving lockfile conflicts
Occasionally, two separate npm install will create package locks that cause merge
conflicts in source control systems. As of npm@5.7.0, these conflicts can be resolved by
manually fixing any package.json conflicts, and then running npm install
[--package-lock-only] again. npm will automatically resolve any conflicts for you and
write a merged package lock that includes all the dependencies from both branches in a
reasonable tree. If --package-lock-only is provided, it will do this without also
modifying your local node_modules/.
To make this process seamless on git, consider installing npm-merge-driver
https://npm.im/npm-merge-driver, which will teach git how to do this itself without any
user interaction. In short: $ npx npm-merge-driver install -g will let you do this, and
even works with pre-npm@5.7.0 versions of npm 5, albeit a bit more noisily. Note that if
package.json itself conflicts, you will have to resolve that by hand and run npm install
manually, even with the merge driver.
SEE ALSO
· https://medium.com/@sdboyer/so-you-want-to-write-a-package-manager-4ae9c17d9527
· npm help 5 package.json
· npm help 5 package-lock.json
· npm help 5 shrinkwrap.json
· npm help shrinkwrap
February 2019 NPM-PACKAGE-LOCKS(5)