|
|
- .TH "PACKAGE\-LOCK\.JSON" "5" "August 2018" "" ""
- .SH "NAME"
- \fBpackage-lock.json\fR \- A manifestation of the manifest
- .SH DESCRIPTION
- .P
- \fBpackage\-lock\.json\fP is automatically generated for any operations where npm
- modifies either the \fBnode_modules\fP tree, or \fBpackage\.json\fP\|\. It describes the
- exact tree that was generated, such that subsequent installs are able to
- generate identical trees, regardless of intermediate dependency updates\.
- .P
- This file is intended to be committed into source repositories, and serves
- various purposes:
- .RS 0
- .IP \(bu 2
- Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies\.
- .IP \(bu 2
- Provide a facility for users to "time\-travel" to previous states of \fBnode_modules\fP without having to commit the directory itself\.
- .IP \(bu 2
- To facilitate greater visibility of tree changes through readable source control diffs\.
- .IP \(bu 2
- And optimize the installation process by allowing npm to skip repeated metadata resolutions for previously\-installed packages\.
-
- .RE
- .P
- One key detail about \fBpackage\-lock\.json\fP is that it cannot be published, and it
- will be ignored if found in any place other than the toplevel package\. It shares
- a format with npm help 5 shrinkwrap\.json, which is essentially the same file, but
- allows publication\. This is not recommended unless deploying a CLI tool or
- otherwise using the publication process for producing production packages\.
- .P
- If both \fBpackage\-lock\.json\fP and \fBnpm\-shrinkwrap\.json\fP are present in the root of
- a package, \fBpackage\-lock\.json\fP will be completely ignored\.
- .SH FILE FORMAT
- .SS name
- .P
- The name of the package this is a package\-lock for\. This must match what's in
- \fBpackage\.json\fP\|\.
- .SS version
- .P
- The version of the package this is a package\-lock for\. This must match what's in
- \fBpackage\.json\fP\|\.
- .SS lockfileVersion
- .P
- An integer version, starting at \fB1\fP with the version number of this document
- whose semantics were used when generating this \fBpackage\-lock\.json\fP\|\.
- .SS packageIntegrity
- .P
- This is a subresource
- integrity \fIhttps://w3c\.github\.io/webappsec/specs/subresourceintegrity/\fR value
- created from the \fBpackage\.json\fP\|\. No preprocessing of the \fBpackage\.json\fP should
- be done\. Subresource integrity strings can be produced by modules like
- \fBssri\fP \fIhttps://www\.npmjs\.com/package/ssri\fR\|\.
- .SS preserveSymlinks
- .P
- Indicates that the install was done with the environment variable
- \fBNODE_PRESERVE_SYMLINKS\fP enabled\. The installer should insist that the value of
- this property match that environment variable\.
- .SS dependencies
- .P
- A mapping of package name to dependency object\. Dependency objects have the
- following properties:
- .SS version
- .P
- This is a specifier that uniquely identifies this package and should be
- usable in fetching a new copy of it\.
- .RS 0
- .IP \(bu 2
- bundled dependencies: Regardless of source, this is a version number that is purely for informational purposes\.
- .IP \(bu 2
- registry sources: This is a version number\. (eg, \fB1\.2\.3\fP)
- .IP \(bu 2
- git sources: This is a git specifier with resolved committish\. (eg, \fBgit+https://example\.com/foo/bar#115311855adb0789a0466714ed48a1499ffea97e\fP)
- .IP \(bu 2
- http tarball sources: This is the URL of the tarball\. (eg, \fBhttps://example\.com/example\-1\.3\.0\.tgz\fP)
- .IP \(bu 2
- local tarball sources: This is the file URL of the tarball\. (eg \fBfile:///opt/storage/example\-1\.3\.0\.tgz\fP)
- .IP \(bu 2
- local link sources: This is the file URL of the link\. (eg \fBfile:libs/our\-module\fP)
-
- .RE
- .SS integrity
- .P
- This is a Standard Subresource
- Integrity \fIhttps://w3c\.github\.io/webappsec/specs/subresourceintegrity/\fR for this
- resource\.
- .RS 0
- .IP \(bu 2
- For bundled dependencies this is not included, regardless of source\.
- .IP \(bu 2
- For registry sources, this is the \fBintegrity\fP that the registry provided, or if one wasn't provided the SHA1 in \fBshasum\fP\|\.
- .IP \(bu 2
- For git sources this is the specific commit hash we cloned from\.
- .IP \(bu 2
- For remote tarball sources this is an integrity based on a SHA512 of
- the file\.
- .IP \(bu 2
- For local tarball sources: This is an integrity field based on the SHA512 of the file\.
-
- .RE
- .SS resolved
- .RS 0
- .IP \(bu 2
- For bundled dependencies this is not included, regardless of source\.
- .IP \(bu 2
- For registry sources this is path of the tarball relative to the registry
- URL\. If the tarball URL isn't on the same server as the registry URL then
- this is a complete URL\.
-
- .RE
- .SS bundled
- .P
- If true, this is the bundled dependency and will be installed by the parent
- module\. When installing, this module will be extracted from the parent
- module during the extract phase, not installed as a separate dependency\.
- .SS dev
- .P
- If true then this dependency is either a development dependency ONLY of the
- top level module or a transitive dependency of one\. This is false for
- dependencies that are both a development dependency of the top level and a
- transitive dependency of a non\-development dependency of the top level\.
- .SS optional
- .P
- If true then this dependency is either an optional dependency ONLY of the
- top level module or a transitive dependency of one\. This is false for
- dependencies that are both an optional dependency of the top level and a
- transitive dependency of a non\-optional dependency of the top level\.
- .P
- All optional dependencies should be included even if they're uninstallable
- on the current platform\.
- .SS requires
- .P
- This is a mapping of module name to version\. This is a list of everything
- this module requires, regardless of where it will be installed\. The version
- should match via normal matching rules a dependency either in our
- \fBdependencies\fP or in a level higher than us\.
- .SS dependencies
- .P
- The dependencies of this dependency, exactly as at the top level\.
- .SH SEE ALSO
- .RS 0
- .IP \(bu 2
- npm help shrinkwrap
- .IP \(bu 2
- npm help 5 shrinkwrap\.json
- .IP \(bu 2
- npm help 5 package\-locks
- .IP \(bu 2
- npm help 5 package\.json
- .IP \(bu 2
- npm help install
-
- .RE
-
|