Dalia Ihab
Dalia's blog


Dalia's blog

Package.json vs Package-lock.json vs npm-shrinkwrap.json – What's

Package.json vs Package-lock.json vs npm-shrinkwrap.json – What's

Dalia Ihab's photo
Dalia Ihab
·Oct 4, 2022·

3 min read

npm is a package manager for JavaScript. It's typically used to install or publish front-end packages, but it can also be used to manage non-JS dependencies like CSS, HTML and fonts. Each package has its own file that defines its contents and dependencies: the package.json file for JavaScript packages, and the package-lock.json file for packages containing anything other than JavaScript code (i.e., metadata).


package.json is a file that contains metadata about an npm package. It is used to describe the JavaScript package and its dependencies, and it's what's used to store information about the project's author, version, name, and so on.

If you've ever installed or published a Node.js application using NPM (or Yarn), then chances are you have seen this file before in the project directory.

you can create package.json file by running this command npm init


package-lock.json is a file that contains a list of all the modules and their respective versions. It's used by npm to ensure that the same versions of all dependencies are installed, regardless of whether you run npm install again or version bumps occur in your dependencies between installs.

Package-lock.json is generated by npm when you run npm install .


npm-shrinkwrap.json is a file created by npm shrinkwrap. It is identical to package-lock.json, with one major caveat: Unlike package-lock.json, npm-shrinkwrap.json may be included when publishing a package.

The difference between package-lock.json and npm-shrinkwrap.json

package-lock.json is never published to npm, whereas npm-shrinkwrap is by default package-lock.json files that are not in the top-level package are ignored, but shrinkwrap files belonging to dependencies are respected

npm-shrinkwrap.json is backwards-compatible with npm versions 2, 3, and 4, whereas package-lock.json is only recognized by npm 5+

Versioning and resolution

The package.json file is the default configuration file for a given project. It contains metadata such as the name of your library and its version number, as well as information about other dependencies that you may need in order to run your code.

In contrast, a package-lock.json file allows you to lock down exact versions of each dependency that’s used by an npm install command or npm install --save command (or any similar commands). This means that you won't need to worry about future changes breaking on different computers when working with teams or collaborators on open source projects!

One major advantage of using these tools over hand-editing files is their ability to automatically update themselves when new versions become available via npm itself or through third party repositories like GitHub, BitBucket etc., without having any human intervention whatsoever! This can save hours upon hours off wasted time if not days depending upon how many times per day someone might use these tools daily


We hope that this article has helped to clear up some of the confusion surrounding package-lock.json, npm-shrinkwrap.json, and package.json files.

Share this