Putting the top-level package's version in package-lock.json


(Andy Perlitch) #1

Why does npm put the top-level package’s version in the package-lock.json file?

As an example, if I have a package.json that looks like this:

{
  "name": "top-level-package",
  "version": "1.0.1",
  "dependencies": {
    "express": "^4"
  }
}

Why should 1.0.1 show up in the package-lock.json file at all? Isn’t the purpose of package-lock.json to lock down dependencies? Bumping a package’s version doesn’t intrinsically change any dependencies. Yet npm does put it there.

The reason this has come up in my case is that we use a different tool update our package version in package.json. After that point, subsequent npm install runs will update package-lock.json with the bumped version change.

Is there a reason for keeping the top-level package’s version in package-lock.json? I know that yarn.lock does not do this (merely mentioning, I don’t expect you to do things just because yarn does them).

Thanks!
Andy


(system) #2

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.