Difference between `npm update` and `remove package-lock.json` plus `npm install`?

npm npm-install package.json package-lock.json npm-update
yakunins picture yakunins · Apr 27, 2020 · Viewed 11.1k times · Source

What is essential difference between these commands, except that npm update modify package.json?

rm package-lock.json
npm install

npm update --dev

Answer

Milan Tenk picture Milan Tenk · May 12, 2020

In package-lock.json basically the indirect dependencies are locked. The indirect dependencies mean those dependencies, that are not specified in the package.json of your project but they are the dependencies of your dependencies.

When npm update --dev is called some dependencies are updated in the package.json. After the entries are updated an install is called, this install updates in package-lock.json those thirdparties that are in connection with the modified ones in the package.json. This means that both the direct and indirect dependencies are updated in the package-lock.json. But only for those, that were modified in package.json. The thirdparties that remained the same in the package.json won't be touched in the package-lock.json. (Both direct and indirect dependencies of them remain the same.)

When rm package-lock.json and npm install is called, then the information is lost about the indirect dependencies with the removing of the package-lock.json. As npm install is called, a new package-lock.json is generated and the indirect dependencies could be changed for all of your dependencies.

Let's see an example for this.

In package-lock.json we have an indirect dependency the tslib: 1.9.0.

"tslib": {
  "version": "1.9.0",
  "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.9.0.tgz",
  "integrity": "sha512-f/qGG2tUkrISBlQZEjEqoZ3B2+npJjIf04H1wuAv9iA8i04Icp+61KRXxFdha22670NJopsZCIjhC3SnjPRKrQ=="
},

The tslib is a dependency of all Angular modules, that are specified directly in thepackage.json:

"dependencies": {
  "@angular/animations": "8.2.12",
  "@angular/cdk": "~8.2.3",
  "@angular/common": "8.2.12",
  "@angular/compiler": "8.2.12",
  "@angular/core": "8.2.12",
  "@angular/flex-layout": "^8.0.0-beta.27",
  "@angular/forms": "8.2.12",
  "@angular/material": "^8.2.3",
  "@angular/platform-browser": "8.2.12",
  "@angular/platform-browser-dynamic": "8.2.12",
  "@angular/platform-server": "8.2.12",
  "@angular/router": "8.2.12",
  "@nguniversal/module-map-ngfactory-loader": "8.1.1",
  "aspnet-prerendering": "^3.0.1",
  "bootstrap": "^4.3.1",
  "core-js": "^2.6.5",
  "hammerjs": "^2.0.8",
  "jquery": "3.4.1",
  "oidc-client": "^1.9.0",
  "popper.js": "^1.14.3",
  "rxjs": "^6.4.0",
  "zone.js": "~0.9.1"
},
"devDependencies": {
  "@angular-devkit/build-angular": "^0.800.6",
  "@angular/cli": "8.3.18",
  "@angular/compiler-cli": "8.2.12",
  "@angular/language-service": "8.2.12",
  "@types/jasmine": "~3.3.9",
  "@types/jasminewd2": "~2.0.6",
  "@types/node": "~11.10.5",
  "codelyzer": "^5.0.1",
  "jasmine-core": "~3.3.0",
  "jasmine-spec-reporter": "~4.2.1",
  "karma": "^4.0.0",
  "karma-chrome-launcher": "~2.2.0",
  "karma-coverage-istanbul-reporter": "~2.0.5",
  "karma-jasmine": "~2.0.1",
  "karma-jasmine-html-reporter": "^1.4.0",
  "typescript": "3.4.5"
},
"optionalDependencies": {
  "node-sass": "^4.9.3",
  "protractor": "~5.4.0",
  "ts-node": "~5.0.1",
  "tslint": "~5.9.1"
}

If we call npm update --dev, following changes are done:

+ [email protected]
+ [email protected]
+ [email protected]
+ [email protected]
+ [email protected]
+ [email protected]
+ [email protected]
+ @types/[email protected]
+ @types/[email protected]
+ [email protected]
+ [email protected]

We can see, that in the package.json the Angular dependencies are not touched. It follows that the tslib is also remained on version 1.9.0 in the package-lock.json.

However if we remove the package-lock.json, remove the node_modules, do the above updates in the package.json manually and call npm install we can see in the newly generated package-lock.json that the tslib is also updated to 1.12.0. (If we do not remove the node_modules the same version could be put back in the package-lock.json as previously.)

Conclusion

So the difference is, that in case of npm update --dev only those direct and indirect dependencies are updated, which were in connection with the changed ones in the package.json. But in case of rm package-lock.json and npm install all indirect dependencies can change.

Related questions

Do I need both package-lock.json and package.json?

After updating my NPM to the latest version (from 3.X to 5.2.0) and running npm install on an existing project, I get an auto-created package-lock.json file. I can tell package-lock.json gives me an exact dependency tree as opposed to …

Read More
NPM - How to install a new package without update or add packages described on package.json

This is a hard question and I'll try to explain. How to add new packages without install dependencies or new packages (defined in package/-lock.json)? For example: Currently, we have our package.json and package-lock.json to maintain the …

Read More
How to install only "devDependencies" using npm

I am trying to install ONLY the "devDependencies" listed in my package.json file. But none of the following commands work as I expect. All of the following commands install the production dependencies also which I do not want. npm …

Read More