Q1. What is package-lock.json?
package-lock.json is automatically generated when npm modifies node_modules or package.json. It describes the exact dependency tree that was installed, including exact versions of all nested dependencies. It ensures consistent installs across different environments by locking versions.
Q2. Why is package-lock.json important?
It ensures that every developer on a project, and every deployment, installs exactly the same dependencies. Even if a dependency follows SemVer, package-lock.json records the exact version used. This prevents "works on my machine" issues caused by subtle differences in dependency versions.
Q3. Should you commit package-lock.json to version control?
Yes, you should commit package-lock.json for applications. It ensures consistent installs across environments. For libraries, it's debatable - some commit it, some don't. npm itself recommends committing it for projects. It helps with security audits and reproducible builds.
Q4. What's the difference between package.json and package-lock.json?
package.json specifies the version ranges (like ^1.2.3). package-lock.json locks the exact versions (like 1.2.5) for all dependencies and their dependencies. package.json is for humans and broad requirements; package-lock.json is for machines and exact installs.
Q5. How do you update package-lock.json?
Running npm install updates package-lock.json according to package.json. npm update updates packages within ranges and updates the lock file. If you need to regenerate it, delete node_modules and package-lock.json, then run npm install. Be careful as this may pull newer versions.