package.json

Learn about the importance of the package.json file.

We'll cover the following

What is package.json?

Every published package has a package.json file. This file makes it easy for others to manage and install the package. It gives information to npm that allows it to identify the package as well as handle the package’s dependencies. Node.js is only aware of two fields: name and version. However, other fields, such as dependencies, and main are vital for a package to be used.

Let’s take a look at the content in the package.json of jsonwebtoken, a popular Node.js package that is used for authentication.

Press + to interact
{
  "name": "jsonwebtoken",
  "version": "8.5.1",
  "description": "JSON Web Token implementation (symmetric and asymmetric)",
  "main": "index.js",
  "nyc": {
    "check-coverage": true,
    "lines": 95,
    "statements": 95,
    "functions": 100,
    "branches": 95,
    "exclude": [
      "./test/**"
    ],
    "reporter": [
      "json",
      "lcov",
      "text-summary"
    ]
  },
  "scripts": {
    "lint": "eslint .",
    "coverage": "nyc mocha --use_strict",
    "test": "npm run lint && npm run coverage && cost-of-modules"
  },
  "repository": {
    "type": "git",
    "url": "https://github.com/auth0/node-jsonwebtoken"
  },
  "keywords": [
    "jwt"
  ],
  "author": "auth0",
  "license": "MIT",
  "bugs": {
    "url": "https://github.com/auth0/node-jsonwebtoken/issues"
  },
  "dependencies": {
    "jws": "^3.2.2",
    "lodash.includes": "^4.3.0",
    "lodash.isboolean": "^3.0.3",
    "lodash.isinteger": "^4.0.4",
    "lodash.isnumber": "^3.0.3",
    "lodash.isplainobject": "^4.0.6",
    "lodash.isstring": "^4.0.1",
    "lodash.once": "^4.0.0",
    "ms": "^2.1.1",
    "semver": "^5.6.0"
  },
  "devDependencies": {
    "atob": "^2.1.2",
    "chai": "^4.1.2",
    "conventional-changelog": "~1.1.0",
    "cost-of-modules": "^1.0.1",
    "eslint": "^4.19.1",
    "mocha": "^5.2.0",
    "nsp": "^2.6.2",
    "nyc": "^11.9.0",
    "sinon": "^6.0.0"
  },
  "engines": {
    "npm": ">=1.4.28",
    "node": ">=4"
  },
  "files": [
    "lib",
    "decode.js",
    "sign.js",
    "verify.js"
  ]
}

There are several different descriptors in the package.json file, let’s take a look at some of the common ones.

Field Explanation
name The name of the package
version Package version in major.minor.patch format
description A few words to describe the package
main The entry point of the package, used when require("package name") is run; it is resolved to require(package.json:main)
repository URL of the repository
keywords Used to describe the package and improve search results
dependencies List of dependencies that are available on npm
devDependencies Recommended or required dependencies to modify the package

Other fields such as -— author, contributors, and homepage – are used to give credit and links for additional references.

Package dependencies

Dependencies can be added to the package.json file automatically, using the CLI.

dependencies

To add dependencies to the package.json file from the command line, you can install them in the root directory of the package. This is the command:

npm install <package-name>

devDependencies

For devDependencies we use the --save-dev flag. This is the command:

npm install <package-name> --save-dev

We can also edit the package.json file manually to add dependencies using a text editor.

Installing dependencies

While working on a Node.js project, we often install a number of packages and dependencies. Another benefit of the package.json file is that it allows us to install all the dependencies with just a single line. The package.json is located in the root directory of projects and contains all the dependencies of the project. So, to install the dependencies for a project, all you have to do is go to the root directory of the project and use the following command:

npm install

This command is very useful when installing projects from websites such as GitHub.

Let’s try to install the dependencies for this GitHub project. We have already downloaded the project for you using the git clone command. Just try to install it.

Don’t forget to go into the project directory before running the install command. You can view all the contents of the current directory using the ls command. You can go to a directory by using the command cd directory-name.

This project consists of two components: the server-side and the client-side. The root directory contains a package.json file for the server. However, if you navigate into the client folder, you will find another package.json file. This file contains the dependencies for the client component. These dependencies can be installed by running npm install in the client folder.

Terminal 1
Terminal
Loading...

package-lock.json

You might have noticed the ^ before the version numbers in the dependencies above. This caret is added to show the minimum version that is needed for this package to run. This means that we need jws version 3.2.2 for this package to run. This is on line 39. However, if there was an update to jws and a newer version, 3.2.3, was released, the next time someone installs the jsonwebtoken package, they will install the latest version of jws. Usually, updating to a newer version does not cause issues as long as the major version is the same. However, sometimes, a newer version of a dependency can prevent packages from working as expected. This is where the package-lock.json comes in.

The package-lock.json is automatically generated when either the node_modules tree or package.json is modified by npm. It describes the exact tree that was generated. This allows us to ensure a consistent install with compatible dependencies across devices.

svg viewer

Get hands-on with 1300+ tech skills courses.