Should package-lock.json be published?

Question

Should package-lock.json be published?

npm 5 introduced package-lock.json whose documentation is here .

It states that the file is meant to be included in version control, so anyone cloning your package and installing it will have the same version of the dependencies. In other words, you shouldn't add it to your .gitignore file.

What it does not state, more or less, the file is intended to be included in the published package. This question can be rephrased as; should package-lock.json be included in .npmignore?

+11

node.js gitignore npm npmignore

wybe June 14. 17 at 13:49

source to share

1 answer

Peter reid · Accepted Answer · 2017-06-14T13:57:05+0000

It cannot be published.

From npm documentation:

One key information about package-lock.json is that it cannot be published and will be ignored if found anywhere other than the toplevel package

See the package-lock.json documentation at docs.npmjs.com .

However, you should push package-lock.json

to git as per the documentation .

This file is for committing to the original repositories

hence the general message provided by npm:

created a lockfile as package-lock.json. You should commit this file.

EDIT: A more detailed description can be found here .

Should package-lock.json be published?

More articles: