Understanding difference between 'requires' and 'dependencies' in package-lock.json

Question

In order to understand difference between requires and dependencies in package-lock.json, I am checking the @angular/cli dependency object which looks as below. Within @angular/cli the uuid package is listed with version 8.3.0 under both requires and dependencies fields.

"@angular/cli": {
  "version": "10.1.7",
  "resolved": "https://registry.npmjs.org/@angular/cli/-/cli-10.1.7.tgz",
  "integrity": "sha512-0tbeHnPIzSV/z+KlZT7N2J1yMnwQi4xIxvbsANrLjoAxNssse84i9BDdMZYsPoV8wbzcDhFOtt5KmfTO0GIeYQ==",
  "dev": true,
  "requires": {
    "@angular-devkit/architect": "0.1001.7",
    "@angular-devkit/core": "10.1.7",
    "@angular-devkit/schematics": "10.1.7",
    "@schematics/angular": "10.1.7",
    "@schematics/update": "0.1001.7",
    "@yarnpkg/lockfile": "1.1.0",
    "ansi-colors": "4.1.1",
    "debug": "4.1.1",
    "ini": "1.3.5",
    "inquirer": "7.3.3",
    "npm-package-arg": "8.0.1",
    "npm-pick-manifest": "6.1.0",
    "open": "7.2.0",
    "pacote": "9.5.12",
    "read-package-tree": "5.3.1",
    "rimraf": "3.0.2",
    "semver": "7.3.2",
    "symbol-observable": "1.2.0",
    "universal-analytics": "0.4.23",
    "uuid": "8.3.0"
  },
  "dependencies": {
    "ansi-colors": {
      "version": "4.1.1",
      "resolved": "https://registry.npmjs.org/ansi-colors/-/ansi-colors-4.1.1.tgz",
      "integrity": "sha512-JoX0apGbHaUJBNl6yF+p6JAFYZ666/hhCGKN5t9QFjbJQKUU/g8MNbFDbvfrgKXvI1QpZplPOnwIo99lX/AAmA==",
      "dev": true
    },
    "debug": {
      "version": "4.1.1",
      "resolved": "https://registry.npmjs.org/debug/-/debug-4.1.1.tgz",
      "integrity": "sha512-pYAIzeRo8J6KPEaJ0VWOh5Pzkbw/RetuzehGM7QRRX5he4fPHx2rdKMB256ehJCkX+XRQm16eZLqLNS8RSZXZw==",
      "dev": true,
      "requires": {
        "ms": "^2.1.1"
      }
    },
    "uuid": {
      "version": "8.3.0",
      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.0.tgz",
      "integrity": "sha512-fX6Z5o4m6XsXBdli9g7DtWgAx+osMsRRZFKma1mIUsLCz6vRvv+pz5VNbyu9UEDzpMWulZfvpgb/cmDXVulYFQ==",
      "dev": true
    }
  }

I have gone through the stackoverflow post based upon which it makes sense to have uuid listed under requires and dependencies field if the version is different.

However, in this case uuid has same version 8.3.0 under requires and dependencies field. So, why it is required to be listed at both the places?

Answer 1

According to the relevant documentation, a dependencies entry is not only populated for a dependency with a different version than used elsewhere. It will also be populated if the dependency is not used anywhere else. At least, that's my interpretation. If I'm right about that, running npm ls uuid in your project should show that only one uuid entry.

It needs to be listed in both places because dependencies has much more information than requires and that information is needed by npm. The broader answer to "why", though, is "why not?" The package-lock.json file is for npm internal use. The format changed between npm version 6 and npm version 7. It will probably change again. They'll probably do whatever works best for the npm command-line tool. That may involve duplicating information.