Quite often, I have been asked the question “Why is package-lock.json always updated but never used as reference to stick the the packages it defines?”. Even though the answer is quite simple, it is not obvious enough. :)
The quick answer
package-lock.json is updated with every normal npm install to constantly reflect the packages that were used on the last build.
To use exactly the versions pinned in package-lock.json, one needs to use the npm ci command (npm docs). It’s called ci as this command is expected to be used primarily within CI systems / for builds executed in CI systems.
Thus, you should usually use npm ci instead of npm install in your build executed in CI jobs / pipelines.
Some background
npm-ci was introduced in March 2018 to provide faster, more reliable builds and a way for clean installs of your project based on a exact definition - the package-lock.json that is created and maintained on every regular npm install. Thus, the package-lock.json is intended to be pushed in your code repository and maintained along with your source code.
Conclusion
I hope this article clarifies the meaning of package-lock.json and how you can profit from it, especially if you’re not working exclusively in the context of NPM based projects.
Markus Schlichting is a co-founder of Karakun AG and lives in Siegburg, Germany. He is organizer of the Hackergarten in Basel and occasionally speaks at user groups and conferences and writes articles. Software Engineering, agile methodology and Open Source are concerns of his heart.
When not sitting in front of a computer, he loves to spend time with his sons and his wife, taking photographs or to get some fresh air driving his motorbike.