Design Converter
- Technologies
Flutter
React
Shopify
Flutter
React
Shopify
- Resource
Discord
Discord
Design Converter
Flutter
React
Shopify
Flutter
React
Shopify
Discord
Discord
Education
Last updated on Mar 7, 2025
•4 mins read
Last updated on Mar 7, 2025
•4 mins read
Does your JavaScript project have outdated dependencies?
Keeping them accurate and secure helps maintain stability across different environments.
This guide explains how to update package-lock JSON dependencies the right way. It covers best practices, common pitfalls, and step-by-step instructions. Learn when to use npm install, how to manage your package-lock file, and why commands like npm ci and npm audit matter.
By the end, handling dependencies will feel much easier!
Let’s break it down.
The package-lock.json is an automatically generated file created when you run npm install. Its purpose is dependency locking, ensuring your project uses the exact versions of dependencies across all installations. It documents an exact tree of your installed packages.
A simplified structure of a package-lock.json includes:
1{ 2 "name": "your-project-name", 3 "lockfileVersion": 2, 4 "requires": true, 5 "packages": { 6 "": { 7 "name": "your-project-name", 8 "version": "1.0.0", 9 "dependencies": { 10 "express": "^4.17.1" 11 } 12 }, 13 "node_modules/express": { 14 "version": "4.17.1", 15 "resolved": "https://registry.npmjs.org/express/-/express-4.17.1.tgz", 16 "integrity": "sha512-xxxx", 17 "dependencies": { 18 "body-parser": "~1.19.0" 19 } 20 } 21 }, 22 "dependencies": { 23 "express": { 24 "version": "4.17.1", 25 "resolved": "https://registry.npmjs.org/express/-/express-4.17.1.tgz", 26 "integrity": "sha512-xxxx" 27 } 28 } 29}
• resolved: URL where the package is fetched.
• integrity: Hash ensuring data integrity.
• dependencies: Lists dependencies explicitly required.
Running the command npm install ensures the same dependencies with exact versions get installed across different environments. This is important in automated environments and continuous integration.
Follow this detailed guide:
Before updating, confirm your npm installation:
1npm --version
node_modules (Optional but Recommended)To start fresh:
1rm -rf node_modules
Now, run npm install:
1npm install
When running npm install, npm reads your package.json and fetches dependencies listed, updating package-lock.json to match exact versions of installed packages.
After installation, review changes:
1git diff package-lock.json
Always commit your changes:
1git add package-lock.json 2git commit -m "Updated dependencies and package-lock.json"
The npm ci command is used in automated setups to quickly install dependencies using exact same versions from package-lock.json.
• Unlike the regular npm install, npm ci ignores package.json and strictly installs the exact tree defined in package-lock.json.
Run npm ci as shown:
1npm ci
| Command | Purpose | Speed | Modifies lock file? |
|---|---|---|---|
npm install | Installs and potentially updates dependencies | Slower | Yes |
npm ci | Installs exact versions from lock file | Faster | No |
After installing packages, run npm audit to detect vulnerabilities:
1npm audit
To automatically fix security issues:
1npm audit fix
Running npm audit regularly keeps your project secure from known vulnerabilities.
Use the npm update command when updating dependencies within specified version ranges:
1npm update express
This command updates only the package named "express" and respects the semantic version range defined in your package.json.
When changing dependencies or updating a dependency to a major new version that may have breaking changes, manual checks and tests are required:
1"dependencies": { 2 "express": "^5.0.0" 3}
1npm install
Review and fix any compatibility issues detected.
Peer dependencies must be manually handled. npm displays warnings or errors about unmet peer dependencies when running npm. To resolve these, explicitly install peer dependencies listed in warnings:
1npm install <peer_dependency_name>
• Always commit your updated package-lock.json.
• Avoid manually editing package-lock.json.
• Use npm ci in CI/CD pipelines.
• Regularly update dependencies and run npm audit.
Here's a summary of the overall installation process:
Knowing how to update package-lock.json dependencies helps keep JavaScript projects stable and secure. Running npm install regularly, using npm ci when needed, and keeping versions consistent in the package-lock file prevent unexpected issues. Running security audits also helps catch vulnerabilities early.
By following these steps, developers can manage dependencies with confidence and keep their projects running smoothly across different environments.
Tired of manually designing screens, coding on weekends, and technical debt? Let DhiWise handle it for you!
You can build an e-commerce store, healthcare app, portfolio, blogging website, social media or admin panel right away. Use our library of 40+ pre-built free templates to create your first application using DhiWise.
