HomeBlogWeb Developmentpackage.json vs package-lock.json: Major Differences

package.json vs package-lock.json: Major Differences

25th Apr, 2024
view count loader
Read it in
11 Mins
In this article
    package.json vs package-lock.json: Major Differences

    Using the package.json file in Node.js, you can install various packages in your project. Node modules, package.json, and package.lock.json are three files placed in your app when you start your node application. To know about package.json vs package lock.json, let us dive further into the details below. Also, you may take Node.js certification course for a more in-depth understanding.

    package.json vs package-lock.json 

    package.json and package-lock.json are often seen files in packages. Below we have discussed significant differences between package.json and package-lock.json:






    The package.json file is the core of any node project. It stores critical metadata about a project that is necessary before releasing IT to npm, and it also specifies the functional properties of a project that npm utilizes.

    The package-lock.json is a lockfile that holds information on the dependencies or packages installed for a node.js project, including their exact version numbers. 


    The package for your project. json is the primary format for configuring and describing how to communicate with and execute your application. The npm CLI utilizes it to distinguish your project and comprehend how to handle its dependencies. 

    Its objective is to offer an immutable version of package.json, so you may fetch an earlier version of your code and end up with the same node_modules folder. 


    Package.json has the following properties: 

    • The name property: defines the name of the package 

    • The version property: states the current version of the software 

    • The license property: states what the license implies to the entire code   

    • The description property states the package on the website and in search results.  

    • The keywords property: assist in finding packages  

    • The dependency property: an object that contains package names and a version or version range 

    Package-lock.json has the following properties: 

    • The name property: states the package's name 

    • The locked version property: states the locked version of the package 

    • The dependency property: states the dependency of the package


    More than just dependencies, it also establishes a project's attributes, descriptions, and license information. 

    It is just used to lock dependencies. 

    How to Create 

    It can be created in two ways: 

    1. Using npm init 


     npm init 

    2. Writing directly: write into the file with all the necessary information

    npm install automatically creates a package-lock.json: 

    npm install 

    Pass the —package-lock-only option to build a lock file:

    npm install —package-lock-only 

    Alternatively, use the option —package-lock: 

    npm install --package-lock 

    Record Versions 


    It stores the minimum version required by your program. If you upgrade the versions of a certain package, the change will not be shown here.

    Keeps track of the exact version of each installed package, allowing you to reinstall it. Future installations will be able to generate the same dependency tree. 



    It is requisite for every project. 

    It is generated automatically whenever npm alters the modules tree or package.json.


    The package.json file is located in the root directory of the project. 

    It is located in the node_modules tree or package.json.

    Disability Feature 


    It is not possible. package.json is the core directory of the project.

    It is possible. Set package-lock=false in /.npmrc to instruct the npm command not to create package-lock.json.


    When working with Node.js, you're likely to have come across a file called a "package.json". The root directory of your project has a JSON file. The data in your package.json is critical to the project's success. It comprises human-readable and functional information about the project, such as the project name and description, the package version number, and a list of dependencies needed by the application. 

    This is an illustration of a check npm version packaging. A sample json file may look like this: 

    "name": "my-project", 
    "version": "1.5.0", 
    "description": "Express server project using compression", 
    "main": "src/index.js", 
    "scripts": { 
    "start": "node index.js", 
    "dev": "nodemon", 
    "lint": "eslint **/*.js" 
    "dependencies": { 
    "express": "^4.16.4", 
    "compression": "~1.7.4" 
    "devDependencies": { 
    "eslint": "^5.16.0", 
    "nodemon": "^1.18.11" 
    "repository": { 
    "type": "git", 
    "url": "https://github.com/osiolabs/example.git" 
    "author": "Jon Church", 
    "contributors": [{ 
    "name": "Amber Matz", 
    "email": "example@example.com", 
    "url": "https://www.osiolabs.com/#team" 
    "keywords": ["server", "osiolabs", "express", "compression"] 

    What Does Package.json Serve?

    A bundle for your project. package.json is the core repository for your application's configuration and description data. To identify your project, the npm CLI (and yarn) utilize this information to figure out your dependencies and how to deal with them. It is part of the deal. npm can start your project, execute scripts, install dependencies, publish to the NPM registry, and do a slew of other helpful actions thanks to a.json file in your project root. Using the npm CLI, you can easily keep track of all of your packages. json because it aids in the creation and updating of the package. json file throughout the duration of a project. 

    Package.json plays numerous functions in your project's lifecycle, some of which are exclusive to NPM-published bundles. You still need a package.json if you don't publish your project to the NPM registry or make it publicly accessible in any other way. 

    A package is also required for your project. 

    JSON is required before npm version check can be used to install any NPM packages. You need one of these for various reasons, but this is the most important one. 

    The package's standard fields

    • json 

    Check out a few of the most frequent and essential fields that may be found in a package:

    JSON, comprehends and handles this vital file. Some are essential for publishing an npm check package version, while others aid the npm CLI in running the application or installing dependencies. 

    If you clone the project and run npm install, the newest minor version of the dependency should be installed. It will automatically upgrade to the most recent patch present. Collaboration on the same project with many coworkers using various versions of the same dependencies might lead to conflicts.

    Additional Readings: Check out this blog on Query String in Node.js.

    What Does package.json Serve

    A bundle for your project.

    Your application's .json is the area to customize and define how to interface with and execute your application. The npm CLI (and yarn) use it to recognize your project and its dependencies. 

    Even if you don't plan to open your project to the general public, your package.json is still critical to the development process.

    A package is also required for your project.

    1. The package's standard fields 

    JSON can properly comprehend and handle any necessary file. Some are essential for publishing to NPM, while others aid the npm CLI in running the application or installing dependencies etc.

    You'll find more information on other fields in the manual, but these are the essentials.

    The package's name is specified in the name parameter. This is the name that the NPM registry will use to identify the package when it is published.

    To submit your npm get a version of package, you must include a name property, which must be unique. If you attempt to publish a package with a name already in use on the NPM registry, you will get an error. If you aren't planning on releasing a finished product, the name doesn't have to be original.

    2. Version 

    It has a version number of "1.5.0."

    When the time comes time to publish a new package, the version field is essential. The package.json file describes the program as it is right now.

    The Node.js ecosystem uses SemVer, which is not mandatory but is strongly encouraged. This feature isn't necessary for an unpublished package. It's common practice to increase the version number before uploading new NPM versions to SemVer. This procedure is not commonly employed when a package is not being utilized as a dependency or is not being published to npm install package-lock. 

    Maintaining the version field of a package used as a dependency is critical to ensuring that others use the correct version of a package. Study up on the concept of semantic versioning.

    3. License 

    This is a crucial yet frequently undervalued feature. An essential part of a package's licensing information is a field called "license." JSON explains what it is talking about. Once again, this is essential when uploading a project to the NPM registry since the license may restrict the usage of your program by certain developers or organizations. A license explicitly states the conditions under which the program may be used.

    The license's identifying code, such as "MIT" or "ISC" for the MIT license and ISC license, shall be entered here. Using the license "UNLICENSED" means you are not granting permission to use a private or unpublished package. If unsure which license to employ, you may take advantage of Full Stack Web Developer bootcamp.


    Node package json lock Manager (npm) v5.x.x has been installed and works well for you. What's this, though? A new document was automatically generated. Package-lock.json. It looks like the package.json dependencies but with more information when you open it. As you continue working on your project, you disregard it. 

    You will eventually run into issues if you are dependent on anything. Either it is missing, or the incorrect version is installed. It is uncommon for users to delete the package-lock.json file and run npm install. What is the point? Who knows what this thing is meant to do? Precisely what does it do?

    1. Versioning with Semantics

    Semantic versioning is a must for understanding the lock and even package.json (semver). What makes npm so successful is its ingenuity. Check npm version utilizes it, and you can learn more about it here. You should explain how modifications you make will influence third-party apps' capacity to engage with your application in a nutshell if you're designing an application with which other applications communicate. Semantic versioning is used to accomplish this. 

    There are three elements to a version: X, Y, and Z, the major, minor, and patch versions. 1. lockfileversion 2 .3, or major version 1, minor version 2, patch 3, would be an example. A patch change represents a bug fix that doesn't break anything. Adding new features to the minor version doesn't damage anything. Significant changes that break compatibility occurs when a primary version number is changed. Things won't function if people don't adjust to a significant version upgrade.

    2. Keeping Track of What you Have

    It is the goal of npm to make package management simple. There might be hundreds of dependencies between your projects, each of which could have a hundred additional dependents. npm was developed to get your mind off dependency discrepancies so that you could install and manage these dependencies with few accessible commands and rarely ever have to worry about them.

    An entry is added to your get npm version package when you install a package using npm (and save it).

    The yarn frozen lockfile package's name and the server to be used, both in JSON format. Some wildcards are supported in this server specification by npm; however, to install the newest version, npm adds a caret, such as "1.2.12," to the end of the path. At the very least, version 1.2.12 should be used, although any higher version is acceptable if it has the same major version, 1. Check this article on working with Path Module in Node.js.

    3. The Endgame

    To avoid the issue mentioned above, the package lock is designed to prevent the installation of modules from the same package.json. Suppose you are using npm package lock version 5. x.x or above, you will see the package-lock.json created until you deactivate it.

    Difference Between package.json and package-lock.json

    What makes a package-lock different from a standard package.json file? All of them have the same structure. This is because package-lock has a far more complete list of all your dependencies and information linked with your app.

    An excellent illustration of this is Express, which, as you can see, has the name but now has a great deal of information than the name and version we have in the package.json file. Packagelock is a specific term that doesn't need a small tilde item in front of it, so we have the precise version in use.

    Using this information, you can see precisely what's going on in your application. For this reason, the package version number is preceded by a tilde. JSON in the form you can see here

    To explain this, let us imagine that in the package.json file, we're telling the application that it's acceptable to work with an older version of the framework, such as 4.16.3. This is OK if there is a simple security patch or anything.

    Even if it is completely different in our npm check version of package or node modules list, the package lock file version has the same information. As a result, this version is used.

    If you want to put all these files into your node_modules directory, you'll need to resolve a link to the npm check update registry, which contains the actual files.

    There’s no need to worry about it; it's just there to use whenever you choose. If you're interested, that's precisely what it's there for, making things easier.

    So, when required, Express as a library does not only stand-alone; it also has its own set of dependencies. There is a set of files and other libraries that Express brings in, just as there is a set of files and other libraries that we bring in for our application.

    Array-flatten, body-parser, and this accepted library are all included. One of the most crucial things to grasp about how the package-lock file works are that it will provide you a clear view into your set of dependencies and merely the metadata for your application.

    Looking to enhance your coding skills? Join our Python online classes and unlock the power of this versatile language. Start your journey today! 


    Without package.lock.json, there could be discrepancies in installed versions in various settings. To address this difficulty, package.lock.json is generated to have the same results in any environment. It should be in source control with the package.json file so if any other user clones the project and install dependencies; then it will install the same dependencies as in package.lock.json to prevent discrepancies. 

    Without package-lock.json, your package may exist. You should, however, know what you're doing, and you shouldn't just make things easier or more productive to make things easier or more effective as long as they function. If you still have queries, you may want to opt for KnowledgeHut Node.js certification course.

    Frequently Asked Questions (FAQs)

    1Why is package-lock.json needed?

    Every installed package is tracked in a package-lock.json file so that a product may be re-created exactly as it was before its maintainers make any updates. For a particular issue, this is the best way to fix it.

    2What is package.json?

    An application's Node.js package.json file is its brain. A project's functional characteristics are defined here, which NPM utilizes to install dependencies, execute scripts, and identify the entry point to our package. It captures vital information about a project, which is necessary before publishing it to NPM.

    3What is the significant difference between package.json and package-lock.json?

    Package.json and package.lock.json both offer basic information about the project. So that future installations will have the same tree, it defines the precise configuration used to produce it.

    4Why does package-lock.json change?

    NPM is changing the package-lock.json file appropriately represents all the dependencies it has obtained since it may have received more up-to-date versions of some of them during npm install. Suppose NPM modifies the package-lock.

    5Is it possible to delete package-lock.json?

    Never remove the package-lock.json from your computer's hard drive. npm, install returns the identical versions for first-level dependencies when specified without ranges.


    Sachin Bhatnagar

    Blog Author

    Sachin Bhatnagar is an experienced education professional with 20+ years of expertise in Media & Entertainment and Web Technologies. Currently, as the Program Director - Full-Stack at KnowledgeHut, he excels in curriculum development, hands-on training, and strategic deployment of industry-centric educational programs. His online training programs on have attracted over 25,000 learners since 2014. He actively contributes to the development of full-stack training products, leveraging KnowledgeHut's advanced learning platform. Collaborating with organizational leaders, he ensures the success of these programs and has created several technology programs prominently featured in KnowledgeHut's course offerings.

    Share This Article
    Ready to Master the Skills that Drive Your Career?

    Avail your free 1:1 mentorship session.

    Your Message (Optional)

    Upcoming Web Development Batches & Dates

    NameDateFeeKnow more
    Course advisor icon
    Course Advisor
    Whatsapp/Chat icon