What is package-lock.json file?
What is package-lock.json file?

Hello and welcome back to the channel. In this video you will learn about how to work correctly with all dependencies in your project, lock files, package-lock, yarn.lock and what is it all about. Also I will share some important knowledge about working with lock files so make sure that you want this video until the end.
Let's jump right into it.

So what problem do we have? Normally when we develop we want to install some libraries. And I'm not even talking specifically about frontend now. It can be frontend, backend, mobile development. Everywhere is a same problem. We install 1-3-5 libraries and it just works. Then other developer installs this libraries on his machine in a month and everything stops working. Or even better - your production server made a new build and everything is broken.

What the problem? Some library was just updated. Let's say you installed a library 1.0 and after a month somebody installed 1.1 where they broke a method or API and now nothing is working. So it may sound really pessimistic but if some of you libraries in project were updated then you project is probably already broken.

Okay I think it's scary enough now.

So we want somehow to track libraries versions and understand that we install the correct version. If we are talking about javascript world (like frontend or Node) we have a package.json file. And this is where we are writing all our dependencies. Let's check on the real example.

So here is an empty folder and I will just generate new package.json file with

npm init

Now let's say we are doing NodeJS application and we want to install express package for this.

npm install express

Now in package.json we have a specific version of installed package. And here you have a caret symbol. This is a special notation that says that minor and patch versions can be updated. This means second and third numbers. At this moment most people think that if they will just remove caret symbol from here the version of package will be locked forever and we can simply always write

npm install

This is actually partially true. This line really promises that we will install express with this specific version. But things are actually more complicated. Because every package has it's own dependencies. If we open now node_modules folder we don't see just single folder with express package but thousands of libraries. This is because express has it's own dependencies. So while they developer express that install like 10 or 20 additional dependencies. And they the authors of that libraries also installed some dependencies. So to use just a single library normally you install the whole tree of libraries starting with the library that you actually want to install.

This brings us to the next point. It's not enough to just lock express because sure express package will be locked but you don't know how authors of express configured their dependencies and if that can be updated or not or authors of the dependencies or the dependencies. You get the point.

So the solution to this is somehow to lock the whole tree of all dependencies that you have. And this is exactly where lock files some into play. In every language you have the same solution with lock file which keeps track on all your dependencies and it's an only way to be sure that exactly this packages that are working now on your machine will be installed by next developer or on your production server.

In javascript world we have 2 lock files. Old node version generated shrinkwrap file. I won't talk about it because you won't get it with the new node version in any case. Which brings us the the node lock file. package-lock.json and yarn lock file yarn.lock. If you don't know what is yarn it's an alternative to npm which uses the same npm registries but manages and installs packages a little bit differently.

So every time when you install or update package with node you are getting this package-lock file. If you are working with yarn your yarn.lock file will be updated. As you can see we installed express with node and this is why we get here package-lock file.

Let's open it. As you can see this is tree representation of our dependencies. Here we can find express and see all it dependencies. But actually it's even more complex because it can happen that 2 different libraries have the same library as a dependency and depends on the version it may or may not be installed twice, as well as be a conflict between to different libraries.

This is basically why node_modules folder is so big and our applications in any language have so many dependencies. You can never be sure that your other library can work with the latest version of the same dependency that you are already using.

Also as you can imagine npm and yarn should be wise enough to resolve conflicts when you are trying to merge 2 lock files or update the dependencies every time correctly.

And here is the most important point that you need to remember. First of all you must always commit lock file in git. Because if you don't commit then next developer will install your dependencies not from lock file but from package.json which will lead to installing latest dependencies which are available and not the locked versions that we wanted.

Secondly you should never ever delete lock file. Even if you have conflict there that you can't resolve automatically. Removing the lock file brings your application in super dangerous state. Because next time when all packages will be installed it will be for sure broken somewhere on production without noticing the problem.

And if you think that I'm a little bit pessimistic about this stuff during the last 10 years I saw hundreds of times when production was broken because of the updating of some package even if it was patch or minor version so you should never believe that installing patch or minor won't break your code. An update is an update and anything can be broken.

So always use lockfiles, always commit them, don't believe the creators of libraries and you will have less overtimes.

Also don't forget to check my full courses regarding different web technologies.