So yeah I am going to write about probably the most ignored file from our directories package-lock.json !!.Without deep diving into how to create a package.json file and all that stuff, let us just look at the key differences.
Package.json :
The package.json file is the center of any Node.js project or npm package. It stores information about your project, similar to how the <head> section of an HTML document describes the content of a webpage. It is basically an JSON object file where information is stored in key-value pairs.
"name": "nodeExpress",
"version": "1.0.0",
"description": "node express examples",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1",
"start": "node index"
},
"author": "Navjyot Bhele",
"license": "ISC",
"dependencies": {
"body-parser": "^1.18.3",
"express": "^4.16.3",
"morgan": "^1.10.0"
}
}
As You can see in the above file how the information is stored in json format about a certain project. Carefully looking at the dependencies section in given json file, we see three key-value pairs embedded in it. The dependencies section contains the name and version of those npm packages which our project is dependant on as shown.
So as you can see in the picture above after every dependency listed under package.json there's a number something like ^1.10.0 which is the version of that package but before the version, there is ^. So ^, this little guy can be a total destroyer for your project.
^ sign before the version tells that if someone clones the project and runs npm install in the directory then install the latest version of the package in his node_modules.
So lets say I am having morgan with ^1.10.0 in package.json and then morgan team releases version 1.24.0 and now when someone clone my repo and runs npm install in that directory they he/she will get the version 1.24.0 .
So npm later released a new file called package-lock.json to avoid such scenarios.
Package-lock.json :
package-lock.json will simply ignore this general behaviour of installing the updated version of that package when you type-in npm install. So when someone clones your project and does npm install then automatically all those dependencies with same exact versions will be installed on your device as installed by the original project developer. It can be said that it basically ignores(^) in-front of any dev dependencies.
package-lock.json too contains all the meta data of the project you are working on.
I hope after reading this you get an general idea of the differences between those two mentioned files. Thanks For Reading :)