153 lines
6.0 KiB
Groff
153 lines
6.0 KiB
Groff
|
.TH "PACKAGE\-LOCK\.JSON" "5" "November 2019" "" ""
|
||
|
.SH "NAME"
|
||
|
\fBpackage-lock.json\fR \- A manifestation of the manifest
|
||
|
.SS Description
|
||
|
.P
|
||
|
\fBpackage\-lock\.json\fP is automatically generated for any operations where npm
|
||
|
modifies either the \fBnode_modules\fP tree, or \fBpackage\.json\fP\|\. It describes the
|
||
|
exact tree that was generated, such that subsequent installs are able to
|
||
|
generate identical trees, regardless of intermediate dependency updates\.
|
||
|
.P
|
||
|
This file is intended to be committed into source repositories, and serves
|
||
|
various purposes:
|
||
|
.RS 0
|
||
|
.IP \(bu 2
|
||
|
Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies\.
|
||
|
.IP \(bu 2
|
||
|
Provide a facility for users to "time\-travel" to previous states of \fBnode_modules\fP without having to commit the directory itself\.
|
||
|
.IP \(bu 2
|
||
|
To facilitate greater visibility of tree changes through readable source control diffs\.
|
||
|
.IP \(bu 2
|
||
|
And optimize the installation process by allowing npm to skip repeated metadata resolutions for previously\-installed packages\.
|
||
|
|
||
|
.RE
|
||
|
.P
|
||
|
One key detail about \fBpackage\-lock\.json\fP is that it cannot be published, and it
|
||
|
will be ignored if found in any place other than the toplevel package\. It shares
|
||
|
a format with npm help npm\-shrinkwrap\.json, which is essentially the same file, but
|
||
|
allows publication\. This is not recommended unless deploying a CLI tool or
|
||
|
otherwise using the publication process for producing production packages\.
|
||
|
.P
|
||
|
If both \fBpackage\-lock\.json\fP and \fBnpm\-shrinkwrap\.json\fP are present in the root of
|
||
|
a package, \fBpackage\-lock\.json\fP will be completely ignored\.
|
||
|
.SS File Format
|
||
|
.SS name
|
||
|
.P
|
||
|
The name of the package this is a package\-lock for\. This must match what's in
|
||
|
\fBpackage\.json\fP\|\.
|
||
|
.SS version
|
||
|
.P
|
||
|
The version of the package this is a package\-lock for\. This must match what's in
|
||
|
\fBpackage\.json\fP\|\.
|
||
|
.SS lockfileVersion
|
||
|
.P
|
||
|
An integer version, starting at \fB1\fP with the version number of this document
|
||
|
whose semantics were used when generating this \fBpackage\-lock\.json\fP\|\.
|
||
|
.SS packageIntegrity
|
||
|
.P
|
||
|
This is a subresource
|
||
|
integrity \fIhttps://w3c\.github\.io/webappsec/specs/subresourceintegrity/\fR value
|
||
|
created from the \fBpackage\.json\fP\|\. No preprocessing of the \fBpackage\.json\fP should
|
||
|
be done\. Subresource integrity strings can be produced by modules like
|
||
|
\fBssri\fP \fIhttps://www\.npmjs\.com/package/ssri\fR\|\.
|
||
|
.SS preserveSymlinks
|
||
|
.P
|
||
|
Indicates that the install was done with the environment variable
|
||
|
\fBNODE_PRESERVE_SYMLINKS\fP enabled\. The installer should insist that the value of
|
||
|
this property match that environment variable\.
|
||
|
.SS dependencies
|
||
|
.P
|
||
|
A mapping of package name to dependency object\. Dependency objects have the
|
||
|
following properties:
|
||
|
.SS version
|
||
|
.P
|
||
|
This is a specifier that uniquely identifies this package and should be
|
||
|
usable in fetching a new copy of it\.
|
||
|
.RS 0
|
||
|
.IP \(bu 2
|
||
|
bundled dependencies: Regardless of source, this is a version number that is purely for informational purposes\.
|
||
|
.IP \(bu 2
|
||
|
registry sources: This is a version number\. (eg, \fB1\.2\.3\fP)
|
||
|
.IP \(bu 2
|
||
|
git sources: This is a git specifier with resolved committish\. (eg, \fBgit+https://example\.com/foo/bar#115311855adb0789a0466714ed48a1499ffea97e\fP)
|
||
|
.IP \(bu 2
|
||
|
http tarball sources: This is the URL of the tarball\. (eg, \fBhttps://example\.com/example\-1\.3\.0\.tgz\fP)
|
||
|
.IP \(bu 2
|
||
|
local tarball sources: This is the file URL of the tarball\. (eg \fBfile:///opt/storage/example\-1\.3\.0\.tgz\fP)
|
||
|
.IP \(bu 2
|
||
|
local link sources: This is the file URL of the link\. (eg \fBfile:libs/our\-module\fP)
|
||
|
|
||
|
.RE
|
||
|
.SS integrity
|
||
|
.P
|
||
|
This is a Standard Subresource
|
||
|
Integrity \fIhttps://w3c\.github\.io/webappsec/specs/subresourceintegrity/\fR for this
|
||
|
resource\.
|
||
|
.RS 0
|
||
|
.IP \(bu 2
|
||
|
For bundled dependencies this is not included, regardless of source\.
|
||
|
.IP \(bu 2
|
||
|
For registry sources, this is the \fBintegrity\fP that the registry provided, or if one wasn't provided the SHA1 in \fBshasum\fP\|\.
|
||
|
.IP \(bu 2
|
||
|
For git sources this is the specific commit hash we cloned from\.
|
||
|
.IP \(bu 2
|
||
|
For remote tarball sources this is an integrity based on a SHA512 of
|
||
|
the file\.
|
||
|
.IP \(bu 2
|
||
|
For local tarball sources: This is an integrity field based on the SHA512 of the file\.
|
||
|
|
||
|
.RE
|
||
|
.SS resolved
|
||
|
.RS 0
|
||
|
.IP \(bu 2
|
||
|
For bundled dependencies this is not included, regardless of source\.
|
||
|
.IP \(bu 2
|
||
|
For registry sources this is path of the tarball relative to the registry
|
||
|
URL\. If the tarball URL isn't on the same server as the registry URL then
|
||
|
this is a complete URL\.
|
||
|
|
||
|
.RE
|
||
|
.SS bundled
|
||
|
.P
|
||
|
If true, this is the bundled dependency and will be installed by the parent
|
||
|
module\. When installing, this module will be extracted from the parent
|
||
|
module during the extract phase, not installed as a separate dependency\.
|
||
|
.SS dev
|
||
|
.P
|
||
|
If true then this dependency is either a development dependency ONLY of the
|
||
|
top level module or a transitive dependency of one\. This is false for
|
||
|
dependencies that are both a development dependency of the top level and a
|
||
|
transitive dependency of a non\-development dependency of the top level\.
|
||
|
.SS optional
|
||
|
.P
|
||
|
If true then this dependency is either an optional dependency ONLY of the
|
||
|
top level module or a transitive dependency of one\. This is false for
|
||
|
dependencies that are both an optional dependency of the top level and a
|
||
|
transitive dependency of a non\-optional dependency of the top level\.
|
||
|
.P
|
||
|
All optional dependencies should be included even if they're uninstallable
|
||
|
on the current platform\.
|
||
|
.SS requires
|
||
|
.P
|
||
|
This is a mapping of module name to version\. This is a list of everything
|
||
|
this module requires, regardless of where it will be installed\. The version
|
||
|
should match via normal matching rules a dependency either in our
|
||
|
\fBdependencies\fP or in a level higher than us\.
|
||
|
.SS dependencies
|
||
|
.P
|
||
|
The dependencies of this dependency, exactly as at the top level\.
|
||
|
.SS See also
|
||
|
.RS 0
|
||
|
.IP \(bu 2
|
||
|
npm help shrinkwrap
|
||
|
.IP \(bu 2
|
||
|
npm help shrinkwrap\.json
|
||
|
.IP \(bu 2
|
||
|
npm help package\-locks
|
||
|
.IP \(bu 2
|
||
|
npm help package\.json
|
||
|
.IP \(bu 2
|
||
|
npm help install
|
||
|
|
||
|
.RE
|