In order to understand difference between requires and dependencies in package-lock.json
, I am checking the @angular/cli
dependency object which looks as below.
Within @angular/cli
the uuid
package is listed with version 8.3.0
under both requires
and dependencies
fields.
"@angular/cli": {
"version": "10.1.7",
"resolved": "https://registry.npmjs.org/@angular/cli/-/cli-10.1.7.tgz",
"integrity": "sha512-0tbeHnPIzSV/z+KlZT7N2J1yMnwQi4xIxvbsANrLjoAxNssse84i9BDdMZYsPoV8wbzcDhFOtt5KmfTO0GIeYQ==",
"dev": true,
"requires": {
"@angular-devkit/architect": "0.1001.7",
"@angular-devkit/core": "10.1.7",
"@angular-devkit/schematics": "10.1.7",
"@schematics/angular": "10.1.7",
"@schematics/update": "0.1001.7",
"@yarnpkg/lockfile": "1.1.0",
"ansi-colors": "4.1.1",
"debug": "4.1.1",
"ini": "1.3.5",
"inquirer": "7.3.3",
"npm-package-arg": "8.0.1",
"npm-pick-manifest": "6.1.0",
"open": "7.2.0",
"pacote": "9.5.12",
"read-package-tree": "5.3.1",
"rimraf": "3.0.2",
"semver": "7.3.2",
"symbol-observable": "1.2.0",
"universal-analytics": "0.4.23",
"uuid": "8.3.0"
},
"dependencies": {
"ansi-colors": {
"version": "4.1.1",
"resolved": "https://registry.npmjs.org/ansi-colors/-/ansi-colors-4.1.1.tgz",
"integrity": "sha512-JoX0apGbHaUJBNl6yF+p6JAFYZ666/hhCGKN5t9QFjbJQKUU/g8MNbFDbvfrgKXvI1QpZplPOnwIo99lX/AAmA==",
"dev": true
},
"debug": {
"version": "4.1.1",
"resolved": "https://registry.npmjs.org/debug/-/debug-4.1.1.tgz",
"integrity": "sha512-pYAIzeRo8J6KPEaJ0VWOh5Pzkbw/RetuzehGM7QRRX5he4fPHx2rdKMB256ehJCkX+XRQm16eZLqLNS8RSZXZw==",
"dev": true,
"requires": {
"ms": "^2.1.1"
}
},
"uuid": {
"version": "8.3.0",
"resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.0.tgz",
"integrity": "sha512-fX6Z5o4m6XsXBdli9g7DtWgAx+osMsRRZFKma1mIUsLCz6vRvv+pz5VNbyu9UEDzpMWulZfvpgb/cmDXVulYFQ==",
"dev": true
}
}
I have gone through the stackoverflow post based upon which it makes sense to have uuid
listed under requires
and dependencies
field if the version is different.
However, in this case uuid
has same version 8.3.0
under requires
and dependencies
field. So, why it is required to be listed at both the places?
According to the relevant documentation, a
dependencies
entry is not only populated for a dependency with a different version than used elsewhere. It will also be populated if the dependency is not used anywhere else. At least, that's my interpretation. If I'm right about that, runningnpm ls uuid
in your project should show that only oneuuid
entry.It needs to be listed in both places because
dependencies
has much more information thanrequires
and that information is needed bynpm
. The broader answer to "why", though, is "why not?" Thepackage-lock.json
file is fornpm
internal use. The format changed between npm version 6 and npm version 7. It will probably change again. They'll probably do whatever works best for the npm command-line tool. That may involve duplicating information.