I'm trying to reconcile the purpose of the ^
character in package.json, and how it's affected by package-lock.json. Let's say for example, I run npm install johnny-dependency
. Now I have a dependency listed in package.json:
"johnny-dependency": "^1.2.0"
On repo instantiation and the first npm install
, package-lock.json will be generated which specifies that this package is using 1.2.0, and it will also specify which versions of johnny-dependency
's dependencies should be used.
If package-lock.json essentially locks down the version, what is the purpose of the ^
or ~
semvr specifiers in package.json? In this answer to the question Why does “npm install” rewrite package-lock.json?, it is said that package-lock.json no longer locks the root level dependencies. If so, why is it still a best practice to commit package-lock.json to source control?
I've never given much thought to this before, surely I'm missing something obvious?