1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
|
.TH "PACKAGE\-LOCK\.JSON" "5" "July 2020" "" ""
.SH "NAME"
\fBpackage-lock.json\fR \- A manifestation of the manifest
.SS Description
.P
\fBpackage\-lock\.json\fP is automatically generated for any operations where npm
modifies either the \fBnode_modules\fP tree, or \fBpackage\.json\fP\|\. It describes the
exact tree that was generated, such that subsequent installs are able to
generate identical trees, regardless of intermediate dependency updates\.
.P
This file is intended to be committed into source repositories, and serves
various purposes:
.RS 0
.IP \(bu 2
Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies\.
.IP \(bu 2
Provide a facility for users to "time\-travel" to previous states of \fBnode_modules\fP without having to commit the directory itself\.
.IP \(bu 2
To facilitate greater visibility of tree changes through readable source control diffs\.
.IP \(bu 2
And optimize the installation process by allowing npm to skip repeated metadata resolutions for previously\-installed packages\.
.RE
.P
One key detail about \fBpackage\-lock\.json\fP is that it cannot be published, and it
will be ignored if found in any place other than the toplevel package\. It shares
a format with npm help npm\-shrinkwrap\.json, which is essentially the same file, but
allows publication\. This is not recommended unless deploying a CLI tool or
otherwise using the publication process for producing production packages\.
.P
If both \fBpackage\-lock\.json\fP and \fBnpm\-shrinkwrap\.json\fP are present in the root of
a package, \fBpackage\-lock\.json\fP will be completely ignored\.
.SS File Format
.SS name
.P
The name of the package this is a package\-lock for\. This must match what's in
\fBpackage\.json\fP\|\.
.SS version
.P
The version of the package this is a package\-lock for\. This must match what's in
\fBpackage\.json\fP\|\.
.SS lockfileVersion
.P
An integer version, starting at \fB1\fP with the version number of this document
whose semantics were used when generating this \fBpackage\-lock\.json\fP\|\.
.SS packageIntegrity
.P
This is a subresource
integrity \fIhttps://w3c\.github\.io/webappsec/specs/subresourceintegrity/\fR value
created from the \fBpackage\.json\fP\|\. No preprocessing of the \fBpackage\.json\fP should
be done\. Subresource integrity strings can be produced by modules like
\fBssri\fP \fIhttps://www\.npmjs\.com/package/ssri\fR\|\.
.SS preserveSymlinks
.P
Indicates that the install was done with the environment variable
\fBNODE_PRESERVE_SYMLINKS\fP enabled\. The installer should insist that the value of
this property match that environment variable\.
.SS dependencies
.P
A mapping of package name to dependency object\. Dependency objects have the
following properties:
.SS version
.P
This is a specifier that uniquely identifies this package and should be
usable in fetching a new copy of it\.
.RS 0
.IP \(bu 2
bundled dependencies: Regardless of source, this is a version number that is purely for informational purposes\.
.IP \(bu 2
registry sources: This is a version number\. (eg, \fB1\.2\.3\fP)
.IP \(bu 2
git sources: This is a git specifier with resolved committish\. (eg, \fBgit+https://example\.com/foo/bar#115311855adb0789a0466714ed48a1499ffea97e\fP)
.IP \(bu 2
http tarball sources: This is the URL of the tarball\. (eg, \fBhttps://example\.com/example\-1\.3\.0\.tgz\fP)
.IP \(bu 2
local tarball sources: This is the file URL of the tarball\. (eg \fBfile:///opt/storage/example\-1\.3\.0\.tgz\fP)
.IP \(bu 2
local link sources: This is the file URL of the link\. (eg \fBfile:libs/our\-module\fP)
.RE
.SS integrity
.P
This is a Standard Subresource
Integrity \fIhttps://w3c\.github\.io/webappsec/specs/subresourceintegrity/\fR for this
resource\.
.RS 0
.IP \(bu 2
For bundled dependencies this is not included, regardless of source\.
.IP \(bu 2
For registry sources, this is the \fBintegrity\fP that the registry provided, or if one wasn't provided the SHA1 in \fBshasum\fP\|\.
.IP \(bu 2
For git sources this is the specific commit hash we cloned from\.
.IP \(bu 2
For remote tarball sources this is an integrity based on a SHA512 of
the file\.
.IP \(bu 2
For local tarball sources: This is an integrity field based on the SHA512 of the file\.
.RE
.SS resolved
.RS 0
.IP \(bu 2
For bundled dependencies this is not included, regardless of source\.
.IP \(bu 2
For registry sources this is path of the tarball relative to the registry
URL\. If the tarball URL isn't on the same server as the registry URL then
this is a complete URL\.
.RE
.SS bundled
.P
If true, this is the bundled dependency and will be installed by the parent
module\. When installing, this module will be extracted from the parent
module during the extract phase, not installed as a separate dependency\.
.SS dev
.P
If true then this dependency is either a development dependency ONLY of the
top level module or a transitive dependency of one\. This is false for
dependencies that are both a development dependency of the top level and a
transitive dependency of a non\-development dependency of the top level\.
.SS optional
.P
If true then this dependency is either an optional dependency ONLY of the
top level module or a transitive dependency of one\. This is false for
dependencies that are both an optional dependency of the top level and a
transitive dependency of a non\-optional dependency of the top level\.
.P
All optional dependencies should be included even if they're uninstallable
on the current platform\.
.SS requires
.P
This is a mapping of module name to version\. This is a list of everything
this module requires, regardless of where it will be installed\. The version
should match via normal matching rules a dependency either in our
\fBdependencies\fP or in a level higher than us\.
.SS dependencies
.P
The dependencies of this dependency, exactly as at the top level\.
.SS See also
.RS 0
.IP \(bu 2
npm help shrinkwrap
.IP \(bu 2
npm help shrinkwrap\.json
.IP \(bu 2
npm help package\-locks
.IP \(bu 2
npm help package\.json
.IP \(bu 2
npm help install
.RE
|