Npm update package-lock => http://adgerene.nnmcloud.ru/d?s=YToyOntzOjc6InJlZmVyZXIiO3M6MjE6Imh0dHA6Ly9iaXRiaW4uaXQyX2RsLyI7czozOiJrZXkiO3M6MjM6Ik5wbSB1cGRhdGUgcGFja2FnZS1sb2NrIjt9 Even if a patch or minor release should not introduce breaking changes, we all know bugs can and so, they will slide in. In older npms changes made directly a package. The reason why every package manager has 2 separate files and uses semver is so you wouldn't need to put exact versions in the main dependencies file. Now what happens if a new version of the dependency is published, accidentally breaks semver and your package breaks because of it? When you npm install cowsay, this entry is added to the package. It is correct that if you didn't specify ranges in the package. That's why you can use package-lock. Which in this case, unfortunately, I don't think is happening. For this reason, not using a lock file for library dev increases the chance of shipping less bugs. Having a way to create a static and repeatable installation is essential for testing as currently with version 5. When working on an application Alright, what about packages used by the end users in the terminal or bundled executables in general? Third, you simply delete the lock before running the tests in the special build. The previous lock format is still supported and recognized as version 0. At least that strategy seems to yield reproducible builds then. Let's say I have a package. It is basically a reproducible record of what files where actually downloaded. I hope this wisdom is unchanged with recent versions. Yea, this has been causing me serious grief the last couple of days. NPM Package Locks: “npm notice created a lockfile as package - Like npm update-lock mycoolmodule Those of us who opt non-default behavior will still need a way to configure our package-lock to our liking. If you really trust npm sure, npm update package-lock purpose is to more explicitly report what the project is using. Ultimately: wich is more important. Your package manager or the code you're using. If you're using npm 5, you may see this on the command line: created a lockfile as package-lock. You should commit this file. It describes the exact tree that was generated, such that subsequent installs are able to generate identical trees, regardless of intermediate dependency updates. One key detail about package-lock. It shares a format with npm-shrinkwrap. That's why you can use package-lock. For this reason, not using a lock file for library dev increases the chance of shipping less bugs. It always conflicts when we merge or rebase, and when a merge results in a package-lock. I'm making some changes on a branch that need to be merged to trunk. This part is the most important when building in different environments at different times. As far as I know, never using semver which npm devs dont understand anyway should yield the same behavior as having npm update package-lock lockfile at least in 99% of cases. My own experience is that semver fuckups happen mostly with primary packages direct dependencies, crappy jquery datepickers, etc. My personal experience with npm has been that lock files were noise forever. I hope this wisdom is unchanged with recent versions. Some repos may not require the benefits that come from having it, and may prefer to have no auto-generated content in source. It describes the exact tree that was generated, such that subsequent installs are able to generate identical trees, regardless of intermediate dependency updates. In my experience it either does not effect what is installed by npm install, or if it does, It has not to date adversely affected the applications I deploy to my knowledge. I don't use mongodb or other such applications that are traditionally thin client. Npm update package-lock control of node and npm are done manually on each server, but I am careful that they are the same. That is you can't deploy because the pull will overwrite the changes that have been made to package-lock. You can't even overwrite a locally generated package-lock. If I am missing something, please correct me in the comments, but the point that versioning is taken from this file makes no sense.