2

I read use of package-lock.json from

blog
https://medium.com/@Quigley_Ja/everything-you-wanted-to-know-about-package-lock-json-b81911aa8ab8

and documentation
https://docs.npmjs.com/files/package-lock.json

However, its not clear, why its not allowed to publish package-lock.json or what problem might occur. May someone throw some light.

Thank you

BuZZ-dEE
  • 3,875
  • 7
  • 48
  • 76
Akshay Vijay Jain
  • 6,159
  • 4
  • 31
  • 34
  • package-lock.json is more like a temperory file and may change so why would you want to publish that – Arpit Solanki Feb 16 '18 at 06:24
  • I understand it represents exact state of our project, why are you calling it temporary file? – Akshay Vijay Jain Feb 16 '18 at 06:26
  • "like a temporary" file means that it will be specific to when where and what you are running with your node app. Its actually not required if you publish you app to npm. – Arpit Solanki Feb 16 '18 at 06:28
  • Good point Arpit, but why would we see it as non required when it provide more accurate state of our project, apart from package.json – Akshay Vijay Jain Feb 16 '18 at 06:30
  • @ArpitSolanki It isn't temporary at all, you're even meant to check it into source-control. Are you thinking of a "lock file" used in databases and such? Do not confuse the two, `package-lock.json` is not a lock file. – Dai Feb 16 '18 at 06:31

2 Answers2

1

Possible duplicate of Should package-lock.json also be published? and Do I commit the package-lock.json file created by npm 5?

I believe that you refer to

One key detail about package-lock.json is that it cannot be published

on https://docs.npmjs.com/files/package-lock.json.

package-lock.json indeed will be ignored if published on NPM but package-lock.json is intended to be committed to source control.
It ensures that dependencies you used on a local machine will be the same versions on a production environment.

You do not want to have devDependencies in package-lock.json though as they might and will affect production environment.

BuZZ-dEE
  • 3,875
  • 7
  • 48
  • 76
Alexander Ivanov
  • 1,103
  • 1
  • 8
  • 20
  • gist of your answer is, there is dev dependency in lock file which should not be published, but dev dependency is in package file as well. – Akshay Vijay Jain Feb 16 '18 at 09:54
  • 1
    i had read both answers on SO, raised this question for we need direct and helping questions, those questions do not answer requested thing – Akshay Vijay Jain Feb 16 '18 at 09:55
0

The reason they shouldn't be published is because it won't do anything. npm will ignore any package-lock.json that is not at the root of the project as it doesn't make sense to lock dependencies anywhere other than in the project itself.

There's no danger of anything going wrong, it's just pointless to publish it.

Source: https://docs.npmjs.com/cli/v7/configuring-npm/package-lock-json

The difference is that package-lock.json is that it cannot be published, and it will be ignored if found in any place other than the root project.

tom-james-watson
  • 93
  • 1
  • 5