The package-lock.json
file is an attempt to ensure that the packages used by developers match the packages used in another important environment: production.
It is also to ensure that any changes to the versions used in production are deliberate, have an opportunity to be reviewed, and can easily be rolled back by building and deploying an older version of the application's source.
Note that including a version of 1.2
in the dependencies
in package.json
tells npm
that it may select the latest version that begins with 1.2
.
Even though the version difference would suggest a non-breaking change, there's nothing really preventing the express
developers from breaking the package between the hypothetical versions 1.2.0
and 1.2.1
, so it's important to ensure that the move between these versions is deliberate and easily reversible.