How to generate a package-lock.json file [4 ways]

avatar
Borislav Hadzhiev

Last updated: Apr 21, 2023
4 min

banner

# Table of Contents

  1. How to generate a package-lock.json file without running npm install
  2. Generating a new package-lock.json file by running npm install
  3. Using the --package-lock option to generate a package-lock.json file
  4. Make sure you haven't added your package-lock.json file to .gitignore
  5. Generating an npm-shrinkwrap.json file

# How to generate a package-lock.json file without running npm install

Use the npm install --package-lock-only command to generate a package-lock.json file without running npm install.

The --package-lock-only option only updates the package-lock.json file instead of checking your node_modules folder and downloading dependencies.

Open your terminal in your project's root directory (where your package.json file is) and issue the following command.

shell
npm install --package-lock-only

generate package lock json file only

When the --package-lock-only argument is set, a package-lock.json file is generated if it doesn't already exist.

If the file exists, it is updated.

Note that the command doesn't check your node_modules folder and doesn't download dependencies.

The package-lock.json file describes the tree of your node modules, so subsequent installs are able to generate identical trees.

If you need to generate a package.json file, issue the npm init -y command.

shell
npm init -y

generate package json

The command will generate a new package.json file if it doesn't already exist.

If the file exists, its contents are printed to the terminal.

# Generating a new package-lock.json file by running npm install

You can also run the npm install command to automatically generate a new package-lock.json file.

shell
npm install

run npm install command to generate package lock json

The package-lock.json file is automatically generated for all operations that modify your node_modules directory or your package.json file.

The npm update command can also be used to generate or update package-lock.json.

shell
npm update

using npm update command to generate package lock json

# Using the --package-lock option to generate a package-lock.json file

If you aren't able to generate a package-lock.json file, you might have disabled the package-lock configuration in your ~/.npmrc file.

You can force generate a package-lock.json file by setting the --package-lock argument when issuing npm install.

shell
npm install --package-lock

force generate package lock

The command will force generate a package-lock.json file even if the package-lock configuration key is set to false.

When the package-lock key is set to false, then the package-lock.json file is ignored when installing modules.

You can view your current value of the package-lock key by issuing the following command.

shell
npm config get package-lock

force generate package lock

If you want to disable the package-lock key, set it to false by issuing the following command.

shell
# disable generating/updating package-lock.json file npm config set package-lock false

Conversely, if you want to enable the package-lock key, set it to true.

shell
# enable generating/updating package-lock.json file npm config set package-lock true

You might also have the view your global setting of the package-lock key by using the --global argument.

shell
npm config --global get package-lock

If you need to update the value of the global package-lock key, use either of the following commands.

shell
# disable generating/updating package-lock.json file npm config --global set package-lock false # enable generating/updating package-lock.json file npm config --global set package-lock true

You can also manually check the values in your NPM configuration files.

You can view where your user NPM config file is located by issuing the following command.

shell
npm config get userconfig

And you can view where your global NPM config file is located by issuing the following command.

shell
npm config get globalconfig

get path of user and global npm config files

# Make sure you haven't added your package-lock.json file to .gitignore

Note that your package-lock.json file should be committed to your remote repository.

If you have the file in your .gitignore file, make sure to remove it.

The package-lock.json file is used to:

  • describe your dependencies as a tree, so the same dependencies can be installed by multiple people, on multiple machines.
  • enable you to go to previous states of your node_modules directory without having to commit node_modules to git.
  • optimize the installation process of modules.

# Generating an npm-shrinkwrap.json file

You might have seen that some repositories use a npm-shrinkwrap.json file instead of package-lock.json.

The files are very similar and have the same format, however, npm-shrinkwrap.json is published to the NPM registry and package-lock.json is not.

The package-lock.json file is ignored if it is found in any other location than the root directory.

The npm-shrinkwrap.json file is most commonly used when deploying a CLI tool or when producing production packages.

If you need to generate an npm-shrinkwrap.json file, issue the following command.

shell
npm shrinkwrap

npm shrinkwrap

If your project has both package-lock.json and npm-shrinkwrap.json, then npm-shrinkwrap.json takes precedence and package-lock.json is ignored.

# Additional Resources

You can learn more about the related topics by checking out the following tutorials:

I wrote a book in which I share everything I know about how to become a better, more efficient programmer.
book cover
You can use the search field on my Home Page to filter through all of my articles.