Topic 3 of 18 · Node Expert

Topic 3 : Working with package lock json to lock the node modules versions

Lesson TL;DRTopic 3: Working with packagelock.json to Lock the Node Module Versions 📖 6 min read · 🎯 beginner · 🧭 Prerequisites: nodeprojects, postmanconfiguration Why this matters Here's the thing — you've pr...
6 min read·beginner·npm · package-lock-json · dependency-management · node-modules

Topic 3: Working with package-lock.json to Lock the Node Module Versions

📖 6 min read · 🎯 beginner · 🧭 Prerequisites: node-projects, postman-configuration

Why this matters

Here's the thing — you've probably run npm install on a project, everything worked fine on your machine, then a teammate pulls the same code and suddenly something breaks. Or worse, you deploy to production and it behaves differently than local. The culprit is almost always a dependency version that shifted quietly under the hood. package-lock.json exists to prevent exactly that. It locks every package — and every package's dependency — to a specific version, so "works on my machine" actually means something. In this lesson, we'll learn what's inside this file, why it gets generated, and how to use it with confidence.

What You'll Learn

  • What package-lock.json is, why npm generates it, and what problems it solves
  • How the file is created, updated, and structured
  • How to commit it to version control for consistent installs across environments
  • How to update dependencies safely and use npm ci for clean, reproducible installs
  • How to audit and fix security vulnerabilities using npm audit and npm audit fix

The Analogy

Think of package-lock.json as the bill of materials for a complex piece of furniture. The package.json is the design sketch that says "we need four legs, approximately 30 cm long." But the bill of materials says "leg model #A-4417, batch #220, supplier registry URL, checksum verified." When a new team member joins the factory — or when your code ships to a server — they don't have to guess what "approximately 30 cm" means. They pull the exact part from the exact supplier, and the chair comes out identical every single time. Without the bill of materials, two factories could build two different chairs from the same sketch without either of them doing anything wrong.

Chapter 1: Introduction to package-lock.json

package-lock.json is automatically generated by npm whenever dependencies are installed or modified. Its job is to pin the exact resolved version of every package in your dependency tree — including the dependencies of your dependencies — so that npm install produces the same node_modules folder on every machine, every time.

Key features of package-lock.json:

  1. Version Locking — Ensures that the exact versions of dependencies and their sub-dependencies are installed, even when package.json uses loose range specifiers like ^ or ~.
  2. Faster Installs — Speeds up installation because npm already knows which version satisfies each range; no resolution step needed.
  3. Security — Provides an exact, auditable dependency tree that npm audit can scan for known vulnerabilities.

Chapter 2: Creating and Updating package-lock.json

Creating package-lock.json

When you initialize a new Node.js project and install your first dependency, npm creates package-lock.json automatically alongside package.json.

npm init -y
npm install express

Running these two commands produces both package.json (your project manifest) and package-lock.json (the locked dependency snapshot).

Updating package-lock.json

Any operation that changes the dependency tree also rewrites package-lock.json to reflect the new state.

npm install lodash      # adds lodash, updates lock file
npm update              # updates all packages within version ranges, updates lock file
npm uninstall express   # removes express, updates lock file

You never need to edit package-lock.json by hand — npm owns it.

Chapter 3: Understanding the Structure of package-lock.json

package-lock.json stores a complete, flat snapshot of every package in your tree. Here is a real-world example with express and lodash installed:

{
  "name": "my-node-app",
  "version": "1.0.0",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "version": "1.0.0",
      "license": "ISC",
      "dependencies": {
        "express": "^4.17.1",
        "lodash": "^4.17.21"
      }
    },
    "node_modules/express": {
      "version": "4.17.1",
      "resolved": "https://registry.npmjs.org/express/-/express-4.17.1.tgz",
      "integrity": "sha512-...",
      "dependencies": {
        "accepts": "~1.3.7",
        "array-flatten": "1.1.1"
      }
    },
    "node_modules/lodash": {
      "version": "4.17.21",
      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
      "integrity": "sha512-..."
    }
  },
  "dependencies": {
    "express": {
      "version": "4.17.1",
      "resolved": "https://registry.npmjs.org/express/-/express-4.17.1.tgz",
      "integrity": "sha512-...",
      "requires": {
        "accepts": "~1.3.7",
        "array-flatten": "1.1.1"
      }
    },
    "lodash": {
      "version": "4.17.21",
      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
      "integrity": "sha512-..."
    }
  }
}

Key sections explained:

  1. packages — The primary record in lockfileVersion: 2. Contains every package in the tree, including the root project itself (indicated by the empty-string key ""). Each entry records the resolved registry URL and an integrity hash for tamper detection.
  2. dependencies — A legacy-compatible flat map retained for tools that read the older lockfileVersion: 1 format. Lists all dependencies with their versions, resolved URLs, and requires sub-maps.
graph TD
    A["package.json<br/>(version ranges)"] -->|npm install| B["package-lock.json<br/>(exact pinned versions)"]
    B -->|npm ci| C["node_modules<br/>(reproducible install)"]
    B -->|git commit| D["Version Control<br/>(shared with team)"]
    D --> E["CI Server"]
    D --> F["Teammate's machine"]
    E -->|npm ci| C
    F -->|npm ci| C

Chapter 4: Ensuring Consistency Across Environments

package-lock.json is only useful if every environment uses the same file. That means committing it to version control is non-negotiable.

git add package-lock.json
git commit -m "Add package-lock.json"

By committing package-lock.json, every team member and every deployment environment will install the exact same dependency versions. This eliminates an entire class of bugs that only appear on one machine or only in production — the dreaded "it works on my laptop" category.

Rule of thumb: always commit package-lock.json. Never add it to .gitignore.

Chapter 5: Handling Dependency Updates

Updating Dependencies

Use npm update to update packages according to the version ranges already specified in package.json. npm respects the range (e.g., ^4.17.1 allows any 4.x.x) and bumps packages to the highest allowed version, then rewrites package-lock.json accordingly.

npm update

Rebuilding the Dependency Tree Cleanly

When you want to guarantee that your local node_modules exactly matches what package-lock.json describes — no more, no less — use npm ci instead of npm install. npm ci removes the existing node_modules directory entirely before installing, ensuring a pristine, reproducible result.

npm ci

npm ci is the right command for CI/CD pipelines and production deployments. npm install is for development, where you actively change dependencies. Use npm ci when you want to consume the lock file; use npm install when you want to update it.

Chapter 6: Security and Auditing

package-lock.json provides an exact dependency tree that npm can cross-reference against the npm advisory database to detect known vulnerabilities.

Auditing Dependencies

Run npm audit to scan your full dependency tree for security issues. It reports severity (low / moderate / high / critical), affected package, and a suggested fix path.

npm audit

Fixing Vulnerabilities

Run npm audit fix to let npm automatically apply the safest available fix — usually a minor or patch upgrade that resolves the vulnerability without breaking your API contract.

npm audit fix

If a fix requires a semver-major bump (a potentially breaking change), npm will flag it but not apply it automatically. In that case you can review and apply manually, or run:

npm audit fix --force

Use --force with care — it may introduce breaking changes that require code updates.

🧪 Try It Yourself

Task: Create a small Node.js project, install two packages, inspect the lock file, and run a security audit.

Steps:

  1. Create a new directory and initialize a project:
mkdir lock-demo && cd lock-demo
npm init -y
  1. Install express and lodash:
npm install express lodash

  1. Open package-lock.json and find the "node_modules/express" entry. Note its version, resolved URL, and integrity hash.

  2. Run the security audit:

npm audit

Success criterion: You should see a package-lock.json file in your directory. npm audit should return a report — even "found 0 vulnerabilities" is a valid result and confirms the audit ran correctly. If vulnerabilities are reported, run npm audit fix and re-run npm audit to verify they are resolved.

🔍 Checkpoint Quiz

Q1. Why should package-lock.json always be committed to version control?

A) It contains secret API keys needed at runtime
B) It ensures every environment installs the exact same dependency versions
C) It replaces package.json and is the only file npm needs
D) It speeds up git operations by caching package downloads

Q2. Given the following command sequence, which file gets updated last?

npm install axios
npm uninstall lodash
npm update

A) package.json only
B) node_modules/ only
C) Both package.json and package-lock.json
D) package-lock.json only

Q3. What is the difference between npm install and npm ci?

A) npm install is faster; npm ci is for production only
B) npm ci reads package-lock.json exactly and wipes node_modules first; npm install resolves ranges and may update the lock file
C) They are identical commands with different names
D) npm ci only installs dev dependencies

Q4. You run npm audit and see a high-severity vulnerability in a transitive dependency. What is the recommended first command to try?

A) rm -rf node_modules && npm install
B) npm audit fix
C) Manually edit package-lock.json to change the version
D) npm update --save

A1. B — Committing package-lock.json means every team member and CI/CD server installs the identical resolved versions, eliminating environment-specific bugs.

A2. C — Each of those three commands modifies both package.json (the manifest) and package-lock.json (the lock snapshot) to reflect the updated dependency tree.

A3. B — npm ci is designed for reproducible installs: it deletes node_modules, reads package-lock.json as the strict source of truth, and never modifies the lock file. npm install resolves semver ranges and will update the lock file if a newer satisfying version exists.

A4. B — npm audit fix attempts the safest automatic fix (usually a patch/minor bump). Manual lock-file edits are error-prone and overwritten by the next npm install. --force is available if the safe fix is insufficient, but should be reviewed first.

🪞 Recap

  • package-lock.json is auto-generated by npm and records the exact resolved version, registry URL, and integrity hash for every package in your dependency tree.
  • It has three key benefits: deterministic installs (version locking), faster installs (no resolution step), and security auditability.
  • Commit package-lock.json to version control so all environments — local, CI, production — install identical dependencies.
  • Use npm install during development to add or change dependencies; use npm ci in automated pipelines to install strictly from the lock file.
  • npm audit scans for known vulnerabilities; npm audit fix applies the safest automatic remediation.

📚 Further Reading

Like this topic? It’s one of 18 in Node Expert.

Block your seat for ₹2,500 and join the next cohort.

Course detailsBlock your seat →