You might have come across package.json and package.lock.json while working with node package modules or in yarn as yarn.lock within your React or node application; but why do we need exactly them?

Background

Basically package.json acts as a manifest file for all the multiple packages to be installed, it keeps the version tree of the dependencies including child dependency. It consists of dependency with version semantics, scripts, and browser list

package.lock.json contains the list of the exact version of all packages used in your project, it is needed for locking the dependency of the installed version.

What does npm install does underhood

npm install -s MODULE_NAME

1. It will first search the module by name.
2. Install the package modules and dependency.
3. update or create package.lock.json and added the corresponding package name and version in package.json

So if someone now clones your project and runs the npm install command, the node package manager will ensure that it downloads the same file as it did previously by referring to the version in lock.json and package.json but it will be comparing both and if they do match it will follow lock file, but what if they don't? then npm will take the manifest of package.json as authorized and update the package.lock.json .

You might also need to know about package.json semantics versioning:

Generally, the npm package version looks like 1.0.1 wherein the first number from the right is the patch version, the second number is for the minor version and the last is the major version.

• Patch releases consist of bugs resolved to a feature or backward compatibility bug fixes and the patch version semantic: ~1.0.x

• A minor release is when a new feature is added and it should have backward compatibility and the minor version semantic: ^1.x or ^1.1.3

• A major release is when the feature can break backward compatibility and major version semantic : * or x.

So now let's come back to npm install updating lock.json, some developers have a tendency to change dependencies by hand, or let's assume a case in your project wherein you update a package dependency and only commit the package.json and not the lock.json and in meanwhile some developer clones your repository.....

Entry of npm clean install

npm clean-install

npm ci bypasses the packages of package.json to install modules from referring lock file. This ensures reproducible builds—you are getting exactly what you expect on every install.

Previously, developers who wanted to ensure that node_modules/ and package.json stayed in sync would have to archive their node_modules folder. npm ci replaces this process with a single command.

What steps does it take?

• If the node_modules folder exists, it will delete and install a fresh one

• If lock.json doesn't exist or doesn't match the version with package.json, it will give an error and stop.

Npm CI in some cases is faster and it improves readability check this Github

Conclusion:

1. Next time you clone a repository use npm clean install to avoid any version compatibility issue.
2. beware of version semantics in the manifest file.
3. Never try to update package.json by hand.