npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Putting the top-level package's version in package-lock.json

Why does npm put the top-level package’s version in the package-lock.json file?

As an example, if I have a package.json that looks like this:

  "name": "top-level-package",
  "version": "1.0.1",
  "dependencies": {
    "express": "^4"

Why should 1.0.1 show up in the package-lock.json file at all? Isn’t the purpose of package-lock.json to lock down dependencies? Bumping a package’s version doesn’t intrinsically change any dependencies. Yet npm does put it there.

The reason this has come up in my case is that we use a different tool update our package version in package.json. After that point, subsequent npm install runs will update package-lock.json with the bumped version change.

Is there a reason for keeping the top-level package’s version in package-lock.json? I know that yarn.lock does not do this (merely mentioning, I don’t expect you to do things just because yarn does them).