File Explorer

/var/lang/lib/node_modules/npm/man/man5
This explorer reads the filesystem of the server it runs on, so /workspace/user isn't present here. Browsing and the terminal still work against this server's own disk from /.
0 dirs
8 files
package-lock-json.511.5 KB · 167 lines
1.TH "PACKAGE-LOCK.JSON" "5" "February 2026" "NPM@11.11.0" ""2.SH "NAME"3\fBpackage-lock.json\fR - A manifestation of the manifest4.SS "Description"5.P6\fBpackage-lock.json\fR is automatically generated for any operations where npm modifies either the \fBnode_modules\fR tree, or \fBpackage.json\fR. It describes the exact tree that was generated, such that subsequent installs are able to generate identical trees, regardless of intermediate dependency updates.7.P8This file is intended to be committed into source repositories, and serves various purposes:9.RS 010.IP \(bu 411Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.12.IP \(bu 413Provide a facility for users to "time-travel" to previous states of \fBnode_modules\fR without having to commit the directory itself.14.IP \(bu 415Facilitate greater visibility of tree changes through readable source control diffs.16.IP \(bu 417Optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages.18.IP \(bu 419As of npm v7, lockfiles include enough information to gain a complete picture of the package tree, reducing the need to read \fBpackage.json\fR files, and allowing for significant performance improvements.20.RE 021 22.P23When \fBnpm\fR creates or updates \fBpackage-lock.json\fR, it will infer line endings and indentation from \fBpackage.json\fR so that the formatting of both files matches.24.SS "\fBpackage-lock.json\fR vs \fBnpm-shrinkwrap.json\fR"25.P26Both of these files have the same format, and perform similar functions in the root of a project.27.P28The difference is that \fBpackage-lock.json\fR cannot be published, and it will be ignored if found in any place other than the root project.29.P30In contrast, \fBnpm-shrinkwrap.json\fR \fI\(la/configuring-npm/npm-shrinkwrap-json\(ra\fR allows publication, and defines the dependency tree from the point encountered. This is not recommended unless deploying a CLI tool or otherwise using the publication process for producing production packages.31.P32If both \fBpackage-lock.json\fR and \fBnpm-shrinkwrap.json\fR are present in the root of a project, \fBnpm-shrinkwrap.json\fR will take precedence and \fBpackage-lock.json\fR will be ignored.33.SS "Hidden Lockfiles"34.P35In order to avoid processing the \fBnode_modules\fR folder repeatedly, npm as of v7 uses a "hidden" lockfile present in \fBnode_modules/.package-lock.json\fR. This contains information about the tree, and is used in lieu of reading the entire \fBnode_modules\fR hierarchy provided that the following conditions are met:36.RS 037.IP \(bu 438All package folders it references exist in the \fBnode_modules\fR hierarchy.39.IP \(bu 440No package folders exist in the \fBnode_modules\fR hierarchy that are not listed in the lockfile.41.IP \(bu 442The modified time of the file is at least as recent as all of the package folders it references.43.RE 044 45.P46That is, the hidden lockfile will only be relevant if it was created as part of the most recent update to the package tree. If another CLI mutates the tree in any way, this will be detected, and the hidden lockfile will be ignored.47.P48Note that it \fIis\fR possible to manually change the \fIcontents\fR of a package in such a way that the modified time of the package folder is unaffected. For example, if you add a file to \fBnode_modules/foo/lib/bar.js\fR, then the modified time on \fBnode_modules/foo\fR will not reflect this change. If you are manually editing files in \fBnode_modules\fR, it is generally best to delete the file at \fBnode_modules/.package-lock.json\fR.49.P50As the hidden lockfile is ignored by older npm versions, it does not contain the backwards compatibility affordances present in "normal" lockfiles. That is, it is \fBlockfileVersion: 3\fR, rather than \fBlockfileVersion: 2\fR.51.SS "Handling Old Lockfiles"52.P53When npm detects a lockfile from npm v6 or before during the package installation process, it is automatically updated to fetch missing information from either the \fBnode_modules\fR tree or (in the case of empty \fBnode_modules\fR trees or very old lockfile formats) the npm registry.54.SS "File Format"55.SS "\fBname\fR"56.P57The name of the package this is a package-lock for. This will match what's in \fBpackage.json\fR.58.SS "\fBversion\fR"59.P60The version of the package this is a package-lock for. This will match what's in \fBpackage.json\fR.61.SS "\fBlockfileVersion\fR"62.P63An integer version, starting at \fB1\fR with the version number of this document whose semantics were used when generating this \fBpackage-lock.json\fR.64.P65Note that the file format changed significantly in npm v7 to track information that would have otherwise required looking in \fBnode_modules\fR or the npm registry. Lockfiles generated by npm v7 will contain \fBlockfileVersion: 2\fR.66.RS 067.IP \(bu 468No version provided: an "ancient" shrinkwrap file from a version of npm prior to npm v5.69.IP \(bu 470\fB1\fR: The lockfile version used by npm v5 and v6.71.IP \(bu 472\fB2\fR: The lockfile version used by npm v7 and v8. Backwards compatible to v1 lockfiles.73.IP \(bu 474\fB3\fR: The lockfile version used by npm v9 and above. Backwards compatible to npm v7.75.RE 076 77.P78npm will always attempt to get whatever data it can out of a lockfile, even if it is not a version that it was designed to support.79.SS "\fBpackages\fR"80.P81This is an object that maps package locations to an object containing the information about that package.82.P83The root project is typically listed with a key of \fB""\fR, and all other packages are listed with their relative paths from the root project folder.84.P85Package descriptors have the following fields:86.RS 087.IP \(bu 488version: The version found in \fBpackage.json\fR89.IP \(bu 490resolved: The place where the package was actually resolved from. In the case of packages fetched from the registry, this will be a url to a tarball. In the case of git dependencies, this will be the full git url with commit sha. In the case of link dependencies, this will be the location of the link target. \fBregistry.npmjs.org\fR is a magic value meaning "the currently configured registry".91.IP \(bu 492integrity: A \fBsha512\fR or \fBsha1\fR \fBStandard Subresource Integrity\fR \fI\(lahttps://w3c.github.io/webappsec/specs/subresourceintegrity/\(ra\fR string for the artifact that was unpacked in this location.93.IP \(bu 494link: A flag to indicate that this is a symbolic link. If this is present, no other fields are specified, since the link target will also be included in the lockfile.95.IP \(bu 496dev, optional, devOptional: If the package is strictly part of the \fBdevDependencies\fR tree, then \fBdev\fR will be true. If it is strictly part of the \fBoptionalDependencies\fR tree, then \fBoptional\fR will be set. If it is both a \fBdev\fR dependency \fIand\fR an \fBoptional\fR dependency of a non-dev dependency, then \fBdevOptional\fR will be set. (An \fBoptional\fR dependency of a \fBdev\fR dependency will have both \fBdev\fR and \fBoptional\fR set.)97.IP \(bu 498inBundle: A flag to indicate that the package is a bundled dependency.99.IP \(bu 4100hasInstallScript: A flag to indicate that the package has a \fBpreinstall\fR, \fBinstall\fR, or \fBpostinstall\fR script.101.IP \(bu 4102hasShrinkwrap: A flag to indicate that the package has an \fBnpm-shrinkwrap.json\fR file.103.IP \(bu 4104bin, license, engines, dependencies, optionalDependencies: fields from \fBpackage.json\fR105.IP \(bu 4106os: An array of operating systems this package is compatible with, as specified in \fBpackage.json\fR. This field is included when the package specifies OS restrictions.107.IP \(bu 4108cpu: An array of CPU architectures this package is compatible with, as specified in \fBpackage.json\fR. This field is included when the package specifies CPU restrictions.109.IP \(bu 4110funding: Funding information for the package, as specified in \fBpackage.json\fR. This field contains details about how to support the package maintainers.111.RE 0112 113.SS "dependencies"114.P115Legacy data for supporting versions of npm that use \fBlockfileVersion: 1\fR. This is a mapping of package names to dependency objects. Because the object structure is strictly hierarchical, symbolic link dependencies are somewhat challenging to represent in some cases.116.P117npm v7 ignores this section entirely if a \fBpackages\fR section is present, but does keep it up to date in order to support switching between npm v6 and npm v7.118.P119Dependency objects have the following fields:120.RS 0121.IP \(bu 4122version: a specifier that varies depending on the nature of the package, and is usable in fetching a new copy of it. Note that for peer dependencies that are not installed, or optional dependencies that are not installed, this field may be omitted.123.RS 4124.IP \(bu 4125bundled dependencies: Regardless of source, this is a version number that is purely for informational purposes.126.IP \(bu 4127registry sources: This is a version number. (eg, \fB1.2.3\fR)128.IP \(bu 4129git sources: This is a git specifier with resolved committish. (eg, \fBgit+https://example.com/foo/bar#115311855adb0789a0466714ed48a1499ffea97e\fR)130.IP \(bu 4131http tarball sources: This is the URL of the tarball. (eg, \fBhttps://example.com/example-1.3.0.tgz\fR)132.IP \(bu 4133local tarball sources: This is the file URL of the tarball. (eg \fBfile:///opt/storage/example-1.3.0.tgz\fR)134.IP \(bu 4135local link sources: This is the file URL of the link. (eg \fBfile:libs/our-module\fR)136.RE 0137 138.P139\fBNote:\fR The \fBversion\fR field may be omitted for certain types of dependencies, such as optional peer dependencies that are not installed. In these cases, only metadata fields like \fBdev\fR, \fBoptional\fR, and \fBpeer\fR will be present.140.IP \(bu 4141integrity: A \fBsha512\fR or \fBsha1\fR \fBStandard Subresource Integrity\fR \fI\(lahttps://w3c.github.io/webappsec/specs/subresourceintegrity/\(ra\fR string for the artifact that was unpacked in this location. For git dependencies, this is the commit sha.142.IP \(bu 4143resolved: For registry sources this is path of the tarball relative to the registry URL. If the tarball URL isn't on the same server as the registry URL then this is a complete URL. \fBregistry.npmjs.org\fR is a magic value meaning "the currently configured registry".144.IP \(bu 4145bundled: If true, this is the bundled dependency and will be installed by the parent module. When installing, this module will be extracted from the parent module during the extract phase, not installed as a separate dependency.146.IP \(bu 4147dev: If true then this dependency is either a development dependency ONLY of the top level module or a transitive dependency of one. This is false for dependencies that are both a development dependency of the top level and a transitive dependency of a non-development dependency of the top level.148.IP \(bu 4149optional: If true then this dependency is either an optional dependency ONLY of the top level module or a transitive dependency of one. This is false for dependencies that are both an optional dependency of the top level and a transitive dependency of a non-optional dependency of the top level.150.IP \(bu 4151requires: This is a mapping of module name to version. This is a list of everything this module requires, regardless of where it will be installed. The version should match via normal matching rules a dependency either in our \fBdependencies\fR or in a level higher than us.152.IP \(bu 4153dependencies: The dependencies of this dependency, exactly as at the top level.154.RE 0155 156.SS "See also"157.RS 0158.IP \(bu 4159npm help shrinkwrap160.IP \(bu 4161\fBnpm-shrinkwrap.json\fR \fI\(la/configuring-npm/npm-shrinkwrap-json\(ra\fR162.IP \(bu 4163\fBpackage.json\fR \fI\(la/configuring-npm/package-json\(ra\fR164.IP \(bu 4165npm help install166.RE 0167