Provided by: npm_5.8.0+ds6-4_all bug

NAME

       package-lock.json - A manifestation of the manifest

DESCRIPTION

       package-lock.json  is automatically generated for any operations where npm modifies either
       the node_modules tree, or package.json. It describes the exact tree  that  was  generated,
       such  that  subsequent  installs  are  able  to  generate  identical  trees, regardless of
       intermediate dependency updates.

       This file is intended to  be  committed  into  source  repositories,  and  serves  various
       purposes:

       · Describe  a single representation of a dependency tree such that teammates, deployments,
         and continuous integration are guaranteed to install exactly the same dependencies.

       · Provide a facility for users to "time-travel" to previous states of node_modules without
         having to commit the directory itself.

       · To facilitate greater visibility of tree changes through readable source control diffs.

       · And  optimize  the  installation  process  by  allowing  npm  to  skip repeated metadata
         resolutions for previously-installed packages.

       One key detail about package-lock.json is that it cannot be  published,  and  it  will  be
       ignored if found in any place other than the toplevel package. It shares a format with npm
       help 5 shrinkwrap.json, which is essentially the same file, but allows  publication.  This
       is  not recommended unless deploying a CLI tool or otherwise using the publication process
       for producing production packages.

       If both package-lock.json and npm-shrinkwrap.json are present in the root  of  a  package,
       package-lock.json will be completely ignored.

FILE FORMAT

   name
       The  name  of  the  package  this  is  a  package-lock  for.  This  must  match  what's in
       package.json.

   version
       The version of the package  this  is  a  package-lock  for.  This  must  match  what's  in
       package.json.

   lockfileVersion
       An integer version, starting at 1 with the version number of this document whose semantics
       were used when generating this package-lock.json.

   packageIntegrity
       This               is                a                subresource                integrity
       https://w3c.github.io/webappsec/specs/subresourceintegrity/   value   created   from   the
       package.json. No preprocessing of the package.json should be done.  Subresource  integrity
       strings can be produced by modules like ssri https://www.npmjs.com/package/ssri.

   preserveSymlinks
       Indicates  that  the install was done with the environment variable NODE_PRESERVE_SYMLINKS
       enabled. The  installer  should  insist  that  the  value  of  this  property  match  that
       environment variable.

   dependencies
       A  mapping  of  package  name to dependency object.  Dependency objects have the following
       properties:

   version
       This is a specifier that uniquely identifies this package and should be usable in fetching
       a new copy of it.

       · bundled  dependencies: Regardless of source, this is a version number that is purely for
         informational purposes.

       · registry sources: This is a version number. (eg, 1.2.3)

       · git   sources:   This   is   a   git   specifier   with   resolved   committish.    (eg,
         git+https://example.com/foo/bar#115311855adb0789a0466714ed48a1499ffea97e)

       · http    tarball    sources:    This    is    the    URL    of    the    tarball.    (eg,
         https://example.com/example-1.3.0.tgz)

       · local   tarball   sources:   This   is   the   file   URL   of    the    tarball.    (eg
         file:///opt/storage/example-1.3.0.tgz)

       · local link sources: This is the file URL of the link. (eg file:libs/our-module)

   integrity
       This           is           a           Standard           Subresource           Integrity
       https://w3c.github.io/webappsec/specs/subresourceintegrity/ for this resource.

       · For bundled dependencies this is not included, regardless of source.

       · For registry sources, this is the integrity that the registry provided, or if one wasn't
         provided the SHA1 in shasum.

       · For git sources this is the specific commit hash we cloned from.

       · For remote tarball sources this is an integrity based on a SHA512 of the file.

       · For local tarball sources: This is an integrity field based on the SHA512 of the file.

   resolved
       · For bundled dependencies this is not included, regardless of source.

       · For  registry  sources this is path of the tarball relative to the registry URL.  If the
         tarball URL isn't on the same server as the registry URL then this is a complete URL.

   bundled
       If true, this is the bundled dependency and will be installed by the parent module.   When
       installing, this module will be extracted from the parent module during the extract phase,
       not installed as a separate dependency.

   dev
       If true then this dependency is either a development dependency  ONLY  of  the  top  level
       module  or a transitive dependency of one.  This is false for dependencies that are both a
       development dependency of the top level and a transitive dependency of  a  non-development
       dependency of the top level.

   optional
       If true then this dependency is either an optional dependency ONLY of the top level module
       or a transitive dependency of one.  This is  false  for  dependencies  that  are  both  an
       optional  dependency  of  the  top  level  and  a  transitive dependency of a non-optional
       dependency of the top level.

       All optional dependencies should be included even if they're uninstallable on the  current
       platform.

   requires
       This  is  a  mapping  of module name to version.  This is a list of everything this module
       requires, regardless of where it will be installed.  The version should match  via  normal
       matching rules a dependency either in our dependencies or in a level higher than us.

   dependencies
       The dependencies of this dependency, exactly as at the top level.

SEE ALSO

       · npm help shrinkwrap

       · npm help 5 shrinkwrap.json

       · npm help 5 package-locks

       · npm help 5 package.json

       · npm help install

                                          February 2019                      PACKAGE-LOCK.JSON(5)