Go to main content

man pages section 5: File Formats

Exit Print View

Updated: Thursday, June 13, 2019
 
 

package-lock.json (5)

Name

package-lock.json - A manifestation of the manifest

Synopsis

Please see following description for synopsis

Description

PACKAGE-LOCK.JSON(5)                                      PACKAGE-LOCK.JSON(5)



NAME
       package-lock.json - A manifestation of the manifest

DESCRIPTION
       package-lock.json  is  automatically generated for any operations where
       npm  modifies  either  the  node_modules  tree,  or  package.json.   It
       describes  the  exact  tree  that  was  generated, such that subsequent
       installs are able to generate identical trees, regardless of intermedi-
       ate dependency updates.

       This  file  is  intended  to be committed into source repositories, and
       serves various purposes:

       o Describe a single representation of a dependency tree such that team-
         mates,  deployments,  and  continuous  integration  are guaranteed to
         install exactly the same dependencies.

       o Provide a facility for users to "time-travel" to previous  states  of
         node_modules without having to commit the directory itself.

       o To  facilitate  greater  visibility  of tree changes through readable
         source control diffs.

       o And optimize  the  installation  process  by  allowing  npm  to  skip
         repeated metadata resolutions for previously-installed packages.


       One  key detail about package-lock.json is that it cannot be published,
       and it will be ignored if found in any place other  than  the  toplevel
       package.  It  shares a format with npm help 5 shrinkwrap.json, which is
       essentially the same file, but allows publication. This is  not  recom-
       mended  unless  deploying a CLI tool or otherwise using the publication
       process for producing production packages.

       If both package-lock.json and npm-shrinkwrap.json are  present  in  the
       root of a package, package-lock.json will be completely ignored.

FILE FORMAT
   name
       The  name  of  the  package this is a package-lock for. This must match
       what's in package.json.

   version
       The version of the package this is a package-lock for. This must  match
       what's in package.json.

   lockfileVersion
       An integer version, starting at 1 with the version number of this docu-
       ment whose semantics were used when generating this package-lock.json.

   packageIntegrity
       This           is           a           subresource           integrity
       https://w3c.github.io/webappsec/specs/subresourceintegrity/  value cre-
       ated from the package.json. No preprocessing of the package.json should
       be  done. Subresource integrity strings can be produced by modules like
       ssri https://www.npmjs.com/package/ssri.

   preserveSymlinks
       Indicates that the install  was  done  with  the  environment  variable
       NODE_PRESERVE_SYMLINKS  enabled.  The  installer should insist that the
       value of this property match that environment variable.

   dependencies
       A mapping of package name to  dependency  object.   Dependency  objects
       have the following properties:

   version
       This is a specifier that uniquely identifies this package and should be
       usable in fetching a new copy of it.

       o bundled dependencies: Regardless of source, this is a version  number
         that is purely for informational purposes.

       o registry sources: This is a version number. (eg, 1.2.3)

       o git  sources:  This is a git specifier with resolved committish. (eg,
         git+https://exam-
         ple.com/foo/bar#115311855adb0789a0466714ed48a1499ffea97e)

       o http   tarball  sources:  This  is  the  URL  of  the  tarball.  (eg,
         https://example.com/example-1.3.0.tgz)

       o local tarball sources: This is the  file  URL  of  the  tarball.  (eg
         file:///opt/storage/example-1.3.0.tgz)

       o local   link  sources:  This  is  the  file  URL  of  the  link.  (eg
         file:libs/our-module)


   integrity
       This       is       a       Standard       Subresource        Integrity
       https://w3c.github.io/webappsec/specs/subresourceintegrity/   for  this
       resource.

       o For bundled dependencies this is not included, regardless of source.

       o For registry sources, this is the integrity that  the  registry  pro-
         vided, or if one wasn't provided the SHA1 in shasum.

       o For git sources this is the specific commit hash we cloned from.

       o For  remote tarball sources this is an integrity based on a SHA512 of
         the file.

       o For local tarball sources: This is an integrity field  based  on  the
         SHA512 of the file.


   resolved
       o For bundled dependencies this is not included, regardless of source.

       o For registry sources this is path of the tarball relative to the reg-
         istry URL.  If the tarball URL isn't on the same server as  the  reg-
         istry URL then this is a complete URL.


   bundled
       If  true,  this  is the bundled dependency and will be installed by the
       parent module.  When installing, this module will be extracted from the
       parent  module  during  the  extract phase, not installed as a separate
       dependency.

   dev
       If true then this dependency is either a development dependency ONLY of
       the  top level module or a transitive dependency of one.  This is false
       for dependencies that are both a  development  dependency  of  the  top
       level  and  a  transitive dependency of a non-development dependency of
       the top level.

   optional
       If true then this dependency is either an optional dependency  ONLY  of
       the  top level module or a transitive dependency of one.  This is false
       for dependencies that are both an optional dependency of the top  level
       and  a  transitive  dependency  of a non-optional dependency of the top
       level.

       All optional dependencies should be included even if they're  uninstal-
       lable on the current platform.

   requires
       This  is a mapping of module name to version.  This is a list of every-
       thing this module requires, regardless of where it will  be  installed.
       The  version should match via normal matching rules a dependency either
       in our dependencies or in a level higher than us.

   dependencies
       The dependencies of this dependency, exactly as at the top level.


ATTRIBUTES
       See attributes(7) for descriptions of the following attributes:


       +---------------+-------------------------+
       |ATTRIBUTE TYPE |    ATTRIBUTE VALUE      |
       +---------------+-------------------------+
       |Availability   | runtime/nodejs/nodejs-8 |
       +---------------+-------------------------+
       |Stability      | Pass-thru volatile      |
       +---------------+-------------------------+
SEE ALSO
       o npm help shrinkwrap

       o npm help 5 shrinkwrap.json

       o npm help 5 package-locks

       o npm help 5 package.json

       o npm help install




NOTES
       This    software    was    built    from    source     available     at
       https://github.com/oracle/solaris-userland.    The  original  community
       source   was   downloaded   from     https://github.com/nodejs/node/ar-
       chive/v8.15.1.zip

       Further information about this software can be found on the open source
       community website at https://github.com/nodejs/node.



                                  August 2018             PACKAGE-LOCK.JSON(5)