package-lock.json is an automatically generated file in Node.js projects that ensures your app installs exactly the same dependency versions every time.
It is created when you run:
npm install
✅ 1. Locks exact versions of dependencies
While package.json uses version ranges like:
"react": "^18.2.0"
The ^ allows updates.
But package-lock.json records the exact version installed:
"react": {
"version": "18.2.0",
"resolved": "...",
"integrity": "sha512-..."
}
So every developer gets the same version.
✔ Prevents "works on my machine" bugs
✔ Ensures consistent builds
✅ 2. Stores the entire dependency tree
It includes:
- direct dependencies
- nested dependencies
- their versions
- resolved URLs
- integrity hashes
This means your whole dependency structure is frozen.
✅ 3. Faster installs (performance)
package-lock.json helps npm:
- skip version resolution
- use cached dependencies
- do faster installs
✅ 4. Improves security
It stores integrity hashes to verify dependency authenticity.
This prevents installing tampered or corrupted packages.
🔍 Difference between package.json vs package-lock.json
| Feature | package.json | package-lock.json |
|---|---|---|
| Purpose | Lists dependencies | Locks exact versions |
| Version | Allows ranges | Exact version only |
| Required? | Yes | Yes (for consistency) |
| Auto-generated | No | Yes |
| Edited manually | Yes | No |
🎯 Short Interview Answer
package-lock.jsonlocks the exact versions of all dependencies (including nested ones) to ensure consistent installs across all environments. It improves reliability, security, and installation speed.
