After updating my NPM to the latest version (from 3.X to 5.2.0) and running npm install
on an existing project, I get an auto-created package-lock.json
file.
I can tell package-lock.json
gives me an exact dependency tree as opposed to package.json
.
From that info alone, it seems like package.json
is redundant and not needed anymore.
Are both of them necessary for NPM to work?
Is it safe or possible to use only the package-lock.json
file?
The docs on package-lock.json (doc1, doc2) doesn't mention anything about that.
Edit:
After some more thinking about it, I came to the conclusion that if someone wants to use your project with an older version of NPM (before 5.x) it would still install all of the dependencies, but with less accurate versions (patch versions)
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…