Why package-lock.json is created if npm already have the npm-shrinkwrap.json for locking purpose?

Question

npm-shrinkwrap.json: Lock down the node_modules tree as well as dependencies and nested dependencies to prevent the package code breaking on other machines.

package-lock.json: Lock down the node_modules tree as well as dependencies and nested dependencies to prevent the package code breaking on other machines.

So, why package-lock.json is created if npm already have the npm-shrinkwrap.json for locking purpose?

Why they created the new package-lock.json file to born the issues of npm version compatibility because developers are already using the npm-shrinkwrap.json?

Any simple, easy and well-explained answer with example?

Answer 1

npm publishes most files in your source directory by default, and people have been publishing shrinkwraps for years. We didn't want to break compatibility. With --save and shrinkwrap by default, there was a great risk of it accidentally making it in and propagating through the registry and basically render our ability to update deps and dedupe... null.

So we chose a new name. And we chose a new name kind of all of a sudden. The new lockfile shares basically all of the same code, the exact same format

The idea is definitely for package-lock.json to be the Latest and Greatest in shrinkwrap technology, and npm-shrinkwrap.json to be reserved for those folks who care very much about their libraries having an exact node_modules -- npm-shrinkwrap had some special dependency-behavior settings what package-lock doesn't have now

Answer 2

They do the same thing. However, there are few differences

• package-lock.json is ignored by npm when publishing packages while npm-shrinkwrap.json is not. It is generally not advised to publish modules with npm-shrinkwrap.json
• when both are in the root directory, npm-shrinkwrap.json is used.